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Blind Quantum Computing (BQC) pQ [2 |3 01 [S] allows a client to have a server carry out 

(-H a quantum computation for them such that the client's input, output and computation remain 

O , private. Recently the authors together with Broadbent proposed a universal unconditionally 

. '. secure BQC scheme [Hj where the client only needs to be able to prepare single qubits in separable 

^ states randomly chosen from a finite set and send them to the server, who has the balance of 

the required quantum computational resources. A desirable property for any BQC protocol is 
verification, whereby the client can verify with high probability whether the server has followed 
the instructions of the protocol, or if there has been some deviation resulting in a corrupted 
output state. A verifiable BQC protocol can be viewed as an interactive proof system leading 
to consequences for complexity theory [3J |U [7] ■ 
I — In this paper we extend the BQC protocol presented in [3| with new functionality allowing 

y—( blind computational basis measurements, which we use to construct a new verifiable universal 

CN BQC protocol based on a new class of resource states. We rigorously prove that the probability 

*^ of detecting an incorrect output is exponentially small in a security parameter, while resource 

(T^ overhead remains polynomial in this parameter. The new resource state allows entangling gates 

^D to be performed between arbitrary pairs of logical qubits with only constant overhead. This 

^^ is a significant improvement on the original scheme, which required that all computations to 

. . be performed must first be put into a nearest neighbour form, incurring linear overhead in the 

^ number of qubits. Such an improvement has important consequences for efficiency and fault- 

tolerance thresholds. 
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1 Introduction 

Scalable quantum computing has proven extremely difficult to achieve, and when the technology 
to build large scale quantum computers does become available it is likely that they will appear 
initially in small numbers at a handful of centres. How will a user interface with such a quantum 
computer? The solution is blind quantum computing (BQC) that enables a classical client (called 
Alice) with limited quantum technology to delegate a computation to the quantum server(s) (called 
Bob) in such a way that the privacy of the computation is preserved [H [21 |3l IU [5] . 

The concept of blind classical computing was proposed hrst by Feigenbaum [1^ and then ex- 
tended by Abadi, Feigenbaum and Killian |11| . They studied the notion of "computing with en- 
crypted data", and showed that for some functions /, an instance x can be efhciently encrypted 



into z = Ek{x) in such a way that Ahce can recover f{x) efficiently from k and f{z) computed by 
Bob. Moreover Abadi, Feigenbaum and Kihian showed that no NP-hard function can be computed 
bhndly if unconditional security is required, unless the polynomial hierarchy collapses at the third 
level [H] . Even restricting the security condition to be only computationarj the question of the 
possibility of blindly computing known circuits remained open for 30 years [12j . 

Unlike classical computing, quantum mechanics can overcome the limitation of computational 
security. An example of the blind quantum computation was first proposed by Childs ^ based 
on the idea of encrypting input qubits with a quantum one-time pad [13l|T3]. At each step, Alice 
sends the encrypted qubits to Bob, who applies a known quantum gate (with some gates requiring 
further interaction with Alice). Bob returns the quantum state, which Alice decrypts using her key. 
Cycling through a fixed set of universal gates ensures that Bob learns nothing about the circuit. 
The protocol requires fault-tolerant quantum memory and the ability to apply local Pauli operators 
at each step, and does not provide any method for the detection of malicious errors. 

Similarly, still in the model where the function is classical and public, Arrighi and Salvail [2] gave 
an approach using quantum resources. The idea of their protocol is that Alice gives Bob multiple 
quantum inputs, most of which are decoys. These are quantum states which are not intended to be 
part of the desired computation, but rather are used to detect a deviation from the protocol by Bob. 
Bob applies the target function on all inputs, and then Alice verifies his behaviour on the decoys. 
The protocol only works for a restricted set of classical functions called random verifiable where it 
is possible for Alice to efficiently generate random input-output pairs. Moreover, the protocol does 
not prevent Bob from learning Alice's private input; it relies upon quantum physical information 
gain versus disturbance trade offs to achieve cheat-sensitive security against individual attacks. 

Aside from the cryptographic scenario, a different scheme based on authentication was proposed 
by Aharonov, Ben-Or and Eban [1], where they showed that any language in BQP has an interactive 
proof system with a nearly classical verifier. Their protocol can be also used for blind quantum 
computation. However, their scheme requires that the verifier (Alice) has quantum computational 
resources and memory to act on a constant-sized register. 

On the other hand, in a recent scheme proposed by the authors together with Broadbent [3], 
based on the framework of measurement-based quantum computing [6j, all Alice needs is a clas- 
sical computer and a very weak quantum instrument. We gave the first universal blind quantum 
computation (UBQC) protocol that allows Alice (who does not have any quantum computational 
resources or quantum memory) to interact with a server Bob (who has a quantum computer) in 
order for Alice to obtain the outcome of her target computation such that privacy is preserved. 
This means that Bob learns nothing about Alice's inputs, outputs, or desired computation. The 
privacy is perfect, not relying on any computational assumptions, and holds no matter what actions 
a cheating Bob undertakes. The protocol works for any quantum circuit and assumes Alice has a 
classical computer, augmented with the power to prepare single qubits in separable states randomly 
chosen from the set H+e) = 4s (|0) + e*^ |1)) \ 9 = 0, 7r/4, 27r/4, . . . , Jtt/A}. The required quantum 
and classical communication between Alice and Bob are linear in the size of Alice's desired quantum 
circuit. Interestingly, if verification is not required it is sufficient for Alice's classical computation 
to be simply addition modulo 8, though no such restricted model is yet known to be sufficient for 
verification. Similar observations in a non-cryptographic context have been made in p^. Except 
for an unavoidable leakage of the size of Alice's data [TT], Alice's privacy is perfect. 

Following this work a similar scheme which exploits the ground state of Affieck-Kennedy-Lieb- 



^A cryptosystem is unconditionally secure (also refereed to as "information-theoretically secure") if it is secure even 
when the adversary has unlimited computing power. A weaker notion is computational security where the adversary 
power is restricted to efficient computation. 



Tasaki (AKLT) chains as a novel resource state was also proposed, also within the model of 
measurement-based quantum computing, leading to more robust computation on Bob's side [5j. 
More recently the concept of blindness has been also extended to the approximate setting where 
using an amplification technique similar to the quantum key distribution scenario, a new BQC 
protocol where Alice has access to coherent states only, was proposed [T6] . 

All previous protocols for blind quantum computation require technology for Alice that is to- 
day unavailable: Arrighi and Salvail's protocol requires multi-qubit preparations and measurements, 
Childs' protocol requires fault-tolerant quantum memory and the ability to apply local Pauli oper- 
ators at each step, while Aharonov, Ben-Or and Eban's protocol requires a constant-sized quantum 
computer with memory. In sharp contrast to this, from Alice's point of view, our protocol can be 
implemented with physical systems that are already available and well-developed. The building 
blocks for this type of blind computation protocol have recently been demonstrated the first time 
using polarization-entangled photonic qubits [17] . 

A desirable property for any UBQC protocol is verification (also known as authentication), 
that is detection of a cheating Bob. Note that if Alice wants to compute the solution to a classical 
problem in NP, she could efficiently verify the outcome. An interfering Bob is not so obviously 
detected in other cases. The main contribution of the present paper is to present a new protocol 
that compared to the original protocol offers a more rigorous but intuitive proof of verification. 
Where Alice can verify with high probability whether Bob has followed the instructions of the 
protocol and the output state is indeed in the correct form, or if there has been a deviation and 
therefore she would reject the output state. 

The rest of this paper is organised as follows. Section 2 and 3 summarise various required con- 
cepts from measurement-based quantum computing and also the original UBQC scheme presented 
in [3]. In order to construct our new verifiable UBQC protocol we first introduce the concept of 
dummy qubits in Section 4, where we assume Alice now can prepare a qubit randomly chosen not 
only from the set A defined above, but also from the set {|0) , |1)}. The latter qubits are called 
dummy qubits as they have no effect on the actual underlying computation. However, they permit 
the blind construction of isolated trap qubits in the state I+q) as explained in Section 6 where 
the core concept of verification is introduced. In order to deal with universality, in Section 5 we 
introduce a new resource state called the dotted-complete graph states which allow us to adapt the 
topological fault-tolerant measurement-based quantum computation scheme due to Raussendorf, 
Harrington and Goyal [9j to our blind setting. The use of this scheme is expected to lead to sub- 
stantially increased thresholds for fault tolerant computing in the blind setting. A threshold for 
fault-tolerant blind computation in the absence of verification based on this fault-tolerance scheme 
was previously calculated as 4.3 x 10~^ by Fujii and Morimae [18]. As shown in Section 6, intro- 
duction of a single blind isolated trap qubit leads to a verifiable blind quantum computing protocol 
with security polynomial in the total number of qubits. In order to boost the security while main- 
taining universality a new scheme has to be constructed. This is done in Section 7 where we put 
together various constructions of the previous sections to present the main result of this paper, 
a universal exponentially secure verifiable and fault-tolerant blind quantum computing protocol. 
Moreover, similar to the original UBQC protocol [5, the new protocol can also be adapted to pro- 
vide a two-prover interactive proof for any languages in BQP with a purely classical verifier, though 
a full discussion of this adaptation is beyond the scope of the current manuscript. 



2 Preliminaries 

Measurement-based quantum computing (MBQC) [6l [19] is a novel form of quantum information 
processing, where the key twin notions that distinguish quantum information processing from its 
classical counterpart, entanglement (creating non-local correlations between quantum elements) and 
measurement (observing a quantum system), are the explicit driving force of computation. More 
precisely, a measurement-based computation consists of a phase in which a collection of qubits are 
set up in a standard entangled state. Measurements are then made on individual qubits and the 
outcomes of the measurements may be used to determine further adaptive measurements. Finally, 
again depending on measurement outcomes, local adaptive unitary operators, called corrections, 
are applied to some qubits; this allows the elimination of the indeterminacy introduced by mea- 
surements. Conceptually MBQC separates the quantum and classical aspects of computation; thus 
it clarifies, in particular, the interplay between classical control and the quantum evolution process. 
The UBQC protocol explores this unique feature of MBQC as it has been proven to be conceptually 
enlightening to reason about distributed computing tasks using this approach L20J. We begin by 
describing all the required elements for an MBQC protocol and then move to the particular family 
of distributed MBQC protocols for hiding various aspects of a given computation. 

2.1 Single party (undistributed) MBQC protocol 

A single party MBQC protocol consists of the following three elements: 

• A uniform family of open graph stategj{(G„^mi In, On)}n over m vertices associated with in- 
dividual qubits, where n is the size of the input/output space of the underlying computatiorj^ 
We usually assume that \I\ = \0\ = n, however sometime n is taken to be strictly larger than 
the dimension of the input/output Hilbert space due to the existence of auxiliary input or 
output qubits (as in later protocols which incorporate trap qubits). In order to have uniform 
notation, for the latter case, we will still use I/O to be the class of all non-prepared/non- 
measured qubits where it is strictly larger than the class of all input/output qubits. By the 
term "uniform family" we simply mean that for any protocol there exist a classical Turing 
machine that for a given input of the size n describes the required graph over m>n vertices. 
If the underlying geometry of the graph is regular, for example being one-dimensional lines, 
two-dimensional regular lattices or brickwork graphs (as we describe later), then instead of 
referring to the Turing machine to define the uniform family we simply use fixed parameters 
such as the size of the line or lattice to specify the graphs. For any fixed input size n the 
graph Gn,m describes the initial quantum state of the protocol. Given an arbitrary state of 
the input qubits corresponding to the input vertices of the graph, one prepares m — n qubits 
in the state |-|-) = 4^(10) + |1)) corresponding to all non-input qubits (I'^) in the graph and 
then apply control-Z operator between qubits i and j, if the corresponding vertices in Gn,m 
are connected. Note that since the control-Z gate is symmetric the direction of the edge is 
not important and hence we are working with undirected graphs. We will usually refer to the 
obtained quantum state based on the graph Gn,m as the graph state Gn,m, unless a different 
notation is more appropriate, also for simplicity we drop the subindex m. 



^An open graph state (G, /, O) consists of an undirected graph G together with two subsets of nodes / and O, 
called inputs and outputs. 

^In this paper we deal only with those MBQC protocol that implements a unitary operator over their input space 
and hence the size of the output space is the same as the input space, but this is not a restriction and we can extend 
this treatment to any general CP map by padding the input and output spaces. Further, for simplicity, we will assume 
that the input is always a pure state, though again this treatment can be extended to the general case. 



• A set of angles (pi £ A where A C [0, 2tt) for all non-output qubits, to describe a collection 
of single qubit (X, y)-measurements, that is measurement in the bases ^(|0) =b e"'^' |1)). For 
the specific class of MBQC protocols that we discuss in this paper we require the angles to 
specify a collection of measurement bases, such that individual measurements are unbiased 
with respect to the initial state. This is an essential ingredient for the blindness property that 
we define later. Without loss of generality, we can fix the set from which the angles are chosen 
to be A = {0, vr/4, 27r/4, • • • , 7tt/4}. We will discuss later how this combination of angles and 
particular families of graph states leads to approximate universality. 

• The last ingredient is the structure of the dependency among the measurements. It is known 
that despite the probabilistic nature of the measurements, an MBQC protocol can imple- 
ment a unitary computation over the input space by introducing a casual structure over the 
measurements. This is done by allowing any measurement on qubit i to be dependent on the 
result of some (possibly none) previously measured qubits. Let Si £ {0,1} be the classical 
result of the measurement at qubit i. There are two type of dependencies, called X and Z 
dependency. If a measurement at qubit i is X or Z dependent on the Sj where qubit j has 
been already measured then the actual angle of the measurement of qubit i during the pro- 
tocol run is {—l)^^(pi or (pi + sjtt respectively. Naturally one needs a non-cyclic structure to 
be able to run such dependencies and for an arbitrary graph such construction (if it exists) is 
formalised by the notion of the flow of the graph |21ll22j . A function (f : O'^ ^ I^) from the 
measured qubits to non-input qubits and a partial order {<) over the vertices of the graph 
such that Mi : i ^ f{i) and Vj S Ndi) ■ f{i) ^ j, where Ncii) denotes the neighbourhood 
of vertex i in G. Each qubit k is X dependent on f~^{k) and Z dependent on all qubits / 
such that k G Ncifil))- Note that if the dependency set is empty, that is there is no qubit 
q such that q = f~^{k) or g S A^g(/(0) then we set the convention that the corresponding 
value of Sq is zero and hence we can use the same formulas {{—l)^^(j)i or (pi + sjtt) to compute 
the dependent angles. 

The above describes only a non-distributed (single party) MBQC protocol, that is a protocol 
where a party both prepares the graph state and performs the sequence of the dependent measure- 
ments according to the order given by the flow (see [Hlin] for more details on MBQC computation). 
One can easily extend the above definition to the distributed setting where different elements of 
the protocol are accessible and known only to specific parties and through classical/quantum com- 
munication the parties collaborate to perform a specific computation. Consider a simple two-party 
example where Alice has the information about the angles and Bob has the information about the 
graph and hence he can calculate the flow. Then they can collaborate to perform the corresponding 
computation as follows: first Bob prepares the required graph state and asks Alice to send him the 
classical information about the angles of the measurement, Bob then computes the dependency and 
performs the measurement and so forth. The purpose of this paper is to describe a family of such 
distributed protocols where, despite the communication, Alice can keep the measurement angles 
hidden from Bob. We then show that, for certain carefully chosen graph families, hiding these angles 
is sufficient to hide the full underlying computation together with the input and outputs. 

2.2 2-Party (distributed) Hiding Protocols 

We define a specific family of two-party (Alice and Bob) MBQC protocols (which we term hiding 
protocols) that can be shown to be "blind" in the sense that Alice can hide information from Bob. 
For simplicity, instead of working with a family of graphs representing the computation over an 
arbitrary size input, we fix the input size to be n and we denote hy m > n the total number of 



vertices in the graph and hence the total number of qubits in the equivalent single-party protocol. 
Note that if we desire to have an efficient protocol, then we restrict the computation of the protocol 
to be of the polynomial size by requiring that m = Poly(n). However blindness is independent of 
any complexity assumptions so we do not, in general, restrict the size of m. 

The protocol will be interactive having m — n steps if the output is quantum or m steps if the 
output is classical, where at each step a single qubit is measured. In practice we can parallelise the 
protocol to D steps, where D is the depth of the partial order of the flow of the graph |23ll24j . This 
is due to the special structure of the partial order of the qubits defined by the flow function whereby 
all the qubit in the same class of the partial order are independent of each other and hence can be 
measured in parallel, i.e. at the same time. However this parallelisation will make no difference to 
the concept of blindness that we are concerned with, so we keep the simple convention that at each 
step only one qubit is measured. Furthermore we assume for the case of classical output that all of 
the output qubits are measured in the final step with a Pauli X measurement. Again this is simply a 
convention for the discussion in our paper and in general the output qubits could be measured with 
any angles and in different steps depending on the fiow construction. Such a convention does not 
affect universality, as the circuit being implemented can simply by modified to replace measurements 
in arbitrary bases with measurements in fixed bases preceded by an appropriate local rotation. 

We will denote by s a sequence of length m — n with value in {0,1} describing the result of the 
non-output measurements performed so far. In the case of classical output, where output qubits are 
measured as the last n steps, s is a sequence of length m. The value associated with a qubit that is 
not yet measured are set to 0, and hence at the beginning of the protocol before any measurement 
being performed we set s = 0, 0, • • • ,0. We will denote by s<j the prefix of length i of s and elements 
of s are denoted by Sj. Whenever adding the values of Sj and Sj we define their sum modulo 2. All 
the qubits in the protocol are enumerated in such a way that at position i all qubits with label 
less than i are measured before measuring qubit i. Any total ordering of the qubits consistent with 
partial ordering of the flow will work and as a result the measurement at qubit i will depends only 
on the string s<j . 

We describe flrst a generic hiding protocol with quantum input and output (Protocol [T]) and 
one with classical input and output (Protocol pi) and then formalise various derivatives of them to 
obtain universal, blind and veriflable protocols. Protocol [2] is exactly the same as Protocol [l] except 
that the steps for encoding input are removed and all the output qubits are measured in the Pauli 
X basis o 

The outline of the main protocol is as follows. Alice has in mind a unitary operator U that is 
implemented with a measurement pattern on some graph state G with its unique flow function /, 
and measurements angles in A. This pattern could have been designed either directly within the 
MBQC framework or from a circuit construction. The pattern assigns a measurement angle 0, to 
each qubit in G, however during the execution of the pattern, the actual measurement angle (p'^ is a 
modification of (j)i that depends on previous measurement outcomes instructed by / in the following 
way mi [22]: 

As said before, in a standard MBQC pattern all the non-input qubits are prepared in the state 
|-|-) and all the input qubits in the desired input state \I). Considering such quantum input allows 

*Note that for simplicity of presentation we have chosen to measure the output qubits with Pauh X, so that the 
same evaluation function C of the non-output measurements, in Protocollll can be used for the output qubits. However 
one could add separate evaluation function for the output qubit measurement to perform Pauli Z measurement over 
them. 



for the possibility of Alice having additional capabilities allowing her to produce arbitrary input 
states, or for the possibility that the input state is supplied on Alice's behalf by a third party. In 
our protocols, in order to hide the information about the angles some randomness has to be added 
to the preparation and consequently the measurements have to be adjusted to compensate for this 
initial randomness to obtain the correct outcome. Hence, Alice prepares all the non-input qubits 
in \+e-) for some randomly chosen 9i ^ A and also applies a full quantum one-time pad encryption 
over the input qubits using random keys Xj G {0, 1} and 6i ^ Am. the following way: 

before sending all qubits to Bob. After that. Bob entangles qubits according to G. Note that this 
unavoidably reveals upper bounds on the dimensions of the underlying quantum computation, 
corresponding to the length of the input and depth of the computation. The computation stage 
involves interaction: for each qubit, Alice sends Bob a classical message 5i ^ A to tell him in which 
basis (in the {X, Y) plane) he should measure the qubit. This angle is computed in such a way as 
to correct for the one-time padding of the input qubits and the random rotation of the non-input 
qubits, as follows: 

j--ieNa{fiJ)) 

where the last term rjvr, with a randomly chosen r^ € {0, 1}, is added to hide the correct classical 
outcome of the measurement from Bob without effecting the overall computation (see correctness 
proof below). Bob then performs the measurement and communicates the outcome 6j to Alice. 
Alice's choice of angles in future rounds will depend on these values, hence she will correct the 
obtained outcome by setting Sj := hi® ri. If Alice is computing a classical function, the protocol 
finishes when all qubits are measured (Protocol pi), as the classical outputs are encoded in the 
measurement outcomes sent to Alice. If she is computing a quantum function, Bob returns to her 
the final qubits (Protocol [T]) , and it is taken that the quantum output is encoded in these qubits. 
Note that in Protocol [2] we take the input to be |+) (8) • • • (8) |+), an encoding of the fixed classical 
input • • • 0, any other arbitrary classical input ii- ■ ■ in is prepared by applying appropriate Z on 
the corresponding qubit to create 

\e) = Zi' C^ . . . (g) Zti\+e^) «> • • • ^ l+ej) • 

For classical input there is no need for a full one-time padding of the input hence no need for the 
Xi random variables as 9i rotation completely hides the input. 

The above explanation is the basis for the correctness of all of the protocols presented in this 
paper. 

Definition 1. A hiding protocol with quantum input is correct if the quantum output state is U \I) 
or if the classical outputs are the result of Pauli X measurements y\ on the state U\I), where U is 
the unitary operator corresponding to the implementation of the measurement pattern of the hiding 
protocol. Similarly one could define correctness for protocols with classical input. 

Theorem 1 (Correctness). Assume Alice and Boh follow the steps of Protocols\^and^ Then the 
outcome is correct. 

^Recall that for simplicity of presentation we have chosen to measure the output qubits with Pauli X. 



Proof. Here we explicitly give a proof only for the case of quantum input and output, as the re- 
maining cases have virtually identical proofs. The protocol deviates in three ways from the standard 
implementation of the desired measurement pattern defined by a graph state G with measurement 
angles (pi: a random Z(6i) rotation over all qubits; a random X^^ rotation over the input qubits; 
measuring with angles 6i. However, since ctrl-Z commutes with Z-rotations, Alice's preparation 
does not change the underlying graph state; only the phase of each qubit is locally changed, and 
it is as if Bob had done the Z-rotation after the ctrl-Z. Let cp'^ be the adapted angles of the 
measurement (pi according to the flow structure of the desired measurement pattern defined by 



G. Note that a measurement in the 



basis on a state lib) is the same as a measure- 



ment in the 



basis on Z{6i) {ip). Also a measurement in the 



basis 



on a state \ip) is the same as a measurement in the +_^'. ) , —-0' ) basis on X \ip). Finally since 

Si = {—l)^^(p[ + 9i + vrrj, if r, = 0, Bob's measurement has the same effect as Alice's target mea- 
surement; if rj = 1, all Alice needs to do is to flip the outcome. Therefore all the deviation from 
the actual implementation of the measurement patter are corrected and the quantum output is the 
desired state corresponding to the action of the unitary operator implemented by the graph state 
G over the input state. D 



3 Blindness 

We say a hiding protocol is blind if Bob cannot tell anything relating to the angles of measurements. 
In considering this it is worth noting that Bob can run the protocol only once with fixed values for 
Alice's parameters (pi,9i,ri,Xi. Later we will show how for generic graphs this will lead to hiding 
the output of the computation as well. Following the convention of [11], we use the notation of a 
leakage function, denoted as L{X), to formalise what Bob learns during the interaction. 

Definition 2. A hiding protocol P with input X is blind while leaking at most L{X) if: 

1. The distribution of the classical information obtained by Bob in P is dependent only on L{X). 

2. Given the distribution of classical information described in [7] and L{X), the state of the 
quantum system obtained by Bob in P is fixed. 

Theorem 2 (Blindness). Protocols [I] andf^ are blind while leaking at most G. 

Proof. Necessarily Bob learns G as he is instructed to entangle all the received qubits according 
to G. We show now that for a fixed G every possible set 5 = {5i} occurs with equal probability 
(satisfying the first condition). We then prove that for a fixed set of angles 5 the state of the 
quantum system obtained by Bob is the maximally mixed state, and hence independent of both 
(p = {(pi} and Pi (the quantum input state), thereby satisfying the second condition. 

For simplicity, we first prove the blindness for Protocol [2] with no quantum input or output. 
Alice's secret angles consist oi (p = {(pi}., with the actual measurement angles (p' = {(p'i) being a 
modification of cp that depends on previous measurement outcomes. Let the classical angles that 
Bob receives during the protocol be 5 = {(5j}, and let p be the quantum system initially sent from 
Alice to Bob. 

To show independence of Bob's classical information, let 9[ = 9i + nri (for a uniformly random 
chosen 9i) and 9' = {9[}. We then have 6 = (p' + 9' , with 9' being uniformly random. Thus the 
distribution of S is also the uniformly random distribution, and is hence independent of (p and/or 
(p' (satisfying the first condition). 



Protocol 1 Generic Hiding Protocol with Quantum Input and Output 

• Alice's resources 

- Graph G over m vertices where labeUing of vertices are in such a way that the first n qubits 
are input and the last n qubits are output. 

- An n-qubit input state |/). 

- A sequence of non-output measurement angles, (p = (0i)i<i<(m.-n) with (pi £ A. 

- m random variables 9i with values taken uniformly at random from A. 

- n random variables Xi and m — n random variables r j with values taken uniformly at random 
from {0, 1}. 

- A fixed function Cg that for each non-output qubit i (1 < i < m — n) computes the angle 
of the measurement of qubit i to be sent to Bob. This function depends on (j)i,9i,ri,Xi and 
the result of the measurements that have been performed so far (s<j). The function Co also 
depends on the flow (/, :<) of the graph G. However, since the flow of the graph G is unique 
(if it exists), we need not take flow as a parameter of the function Gq- We have 

Gg ■■ {I, ■■■, (m - n)} X A X A X {0,1} X {0, 1} x {0, 1}™-" -^ A 

(i, (pi, Oi, n, Xi, s) ^ (-l)^'+''/-'W0j + iJ2j;ieNG(f{j)) ^i)^ + 0i + riTT 
where Xk for n + 1 < k < m and also Sk for any non-defined value of k is set to zero. 

• Initial Step 

- Alice's move: Alice sends Bob the graph G and sets all the values in s to be 0. Next she 
sends m qubits in the order of the labelling of the vertices of the graph, as follows: first, Alice 
encodes the n-qubit input state as 

|e) = A^iZ(ei) ® . . . X'^-ZiOn) \I) 

and sends them as the first n qubits to Bob. She then prepares m — n single qubits in the 
state 1+9,) {n + 1 < i < m) and sends them to Bob as the remaining qubits. 

- Bob's move: Bob receives m single qubits and entangles them according to G. 

• Step i : 1 < i < {m — n) 

- Alice's move: Alice computes the angle 5i = GG{'i',(pi-,Oi,ri,Xi,s) and sends it to Bob. 

- Bob's move: Bob measures qubit i with angle 6i and sends Alice the result bi. 

- Alice's move: Alice sets the value of Si in s to be 6,- © r,-. 



Step i : m — n+l<i<m 

- Bob's move: Bob sends qubit i to Alice. 

- Alice's move: Alice applies X''f-''(')Z^r-ieNa(fU))^^ z{ei) over qubit i. 



Protocol 2 Generic Hiding Protocol with Classical Input and Output 

• Alice's resources 

- Graph G over m vertices where labelling of vertices are in such a way that the first n qubits 
are input and the last n qubits are output. 

- A sequence of non-output measurement angles, </> = {4'i)i<i<{m~n) with (pi £ A. 

- m random variables 6i with values taken uniformly at random from A. 

- m random variables rj with values taken uniformly at random from {0, 1}. 

- A fixed function Cq that for each non output qubit i {1 < i < m) computes the angle of 
the measurement of qubit i to be sent to Bob: 

Cg : {1, • • • , W X ^ X ^ X {0, 1} X {0, 1}™ -^ A 

{i,(l)i,9i,ri,s) ^ (-l)''^~'W</'i + (Ej:ieJVG(/{i))'^i)^ + ^^ + ''*^ 
where Sk for any non-defined value of k is set to zero, also (pi = for m — n + 1 < i < m. 

• Initial Step 

- Alice's move: Alice sends Bob the graph G and sets all the value in s to be 0. Next she 
sends m qubits in the order of the labelling of the vertices of the graph, as follows: first, Alice 
encodes the n-bit string classical input ii- ■ ■ in as state 

\e) = Zi' (S) . . . (S) Zi"{\+er) » • • • » |+e„» = l+Si+ii^) » • • • |+e„+i„^> 

and sends them as the first n qubits to Bob. She then prepares m — n single qubits in the 
state |+6ij) (n -|- 1 < i < m) and sends them to Bob as the remaining qubits. 

- Bob's move: Bob receives m single qubits and entangles them according to G. 

• Step i : 1 < i < m 

- Alice's move: Alice computes the angle 6i = Ccii, (pi-, 0i, ri, s) and sends it to Bob. 

- Bob's move: Bob measures qubit i with angle Si and sends Alice the result bi. 

- Alice's move: Alice sets the value of s,- in s to be 6,- © r,-. 
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In Protocol [2j there is no quantum input, and so the quantum system Bob receives from Ahce 
is composed only of the qubits prepared in states \ipi) = l+ej- For each qubit i, we fix 5i. Because 
ri is uniformly random, one of the following two has occurred: 

1. ri = so 5i = <^- + e'- and |V^i) = ^(|0) + e^^^^-^'^^ |1), or 

2. ri = \ so bi = <!)[ + e'i + TT and \^i) = ^(|0) - e'^^^~^'''> |1). 

For any given rj there is a unique value of 6i such that Si takes any given value. Thus 6i is 
independent of rj. Tracing over all r^ we see that for any fixed value of 5i each qubit of p is left 
in the maximally mixed state, and so p = 1/2*", where m is the total number of qubits sent by 
Alice to Bob. Hence the state of the quantum system obtained by Bob in Protocol [2] is fixed and 
independent of the angles {cpi} (satisfying the second condition). 

Similarly we can prove the blindness of Protocol [T} The only difference is that Alice has per- 
formed a full one-time pad over the input qubits and the first layer of the measurements are adapted 
to undo these if required. However the quantum system initially sent from Alice to Bob is again 
the maximally mixed state. This is due to the fact that for each qubit i in the input state tracing 
over Tj and Xi leaves the system in the maximally mixed state. D 

4 Dummy Qubits 

In order to obtain an intuitive method for achieving verification, we construct an extension of 
Protocol [I] and [2] (see Protocol |3]) where Alice can also prepare qubits in the state \z) where z is 
chosen uniformly at random from {0,1}. These qubits are called dummy qubits, as they will not 
be part of actual computation. A dummy qubit remains disentangled from the rest of the qubits 
of the graph state and, as we prove later, the addition of these dummy qubits does not affect the 
correctness or blindness of the hiding protocol. These dummy qubits are measured with random 
angles which again will not affect the actual computation due to the fact that they are disentangled 
from the rest of the qubits. However, as we prove in the next section, these dummy qubits allow 
Alice to easily add isolated trap qubits to the computation and achieve verification. Note that Alice 
must keep the position of the dummy qubits hidden from Bob (i.e. part of the secret) in order to 
keep the position of any trap qubits hidden. The addition of the dummy qubits can also be viewed 
as a method for the blind implementation of the Pauli Z basis measurements. This is due to the fact 
that their position is hidden from Bob and from his point of view they are measured in the {X, Y) 
plane as well. However due to their preparation state (|0) or |1)) through the entangling step, they 
have the same effect of measuring the corresponding qubit in the Pauli Z basis. Therefore, we use 
the term blind Pauli Z measurement interchangeably with dummy qubits in the rest of the paper. 
Due to the addition of dummy qubits, we will assume from now on that n is an upper bound over 
the number of the input or output qubits. This is required to allow the possibility of having trap or 
dummy qubits as part of the input or output system. Therefore in the design of the measurement 
pattern, auxiliary qubits are added to the input and output space in such a way that the actual 
computation remains intact. 

Theorem 3. Assum,e Alice and Bob follow the steps of Protocol^ Then the outcome obtained is 
the same as if the computation took place over the graph G after removal of the dummy vertices in 
D, the set of positions of dummy qubits in G. 

Proof. The proof is similar to the proof of Theorem [T| the only new element is the effect of the 
dummy qubits. If a dummy qubit is in the state |0) then in the entangling step this qubit does 

11 



Protocol 3 Generic Hiding Protocol with Quantum Input and Output and Dummy Qubits 

• Alice's resources 

- Graph G over m vertices where labeUing of vertices are in such a way that aU the / input 
qubits are located among the first n > I qubits and all the / output qubits are located among 
the last n qubits. 

- An ^qubit input state |/). 

- The dummy qubits positions, set D, chosen among all possible vertices except the I input 
and I output qubits. 

- A sequence of non-output measurement angles, (j) = i4'i)i<i<(m-n) with (f>i ^ A where (pi = 
for all i £ D. 

- m random variables 6i with value taken uniformly at random from A. 

- I random variables Xj, m — n random variable rj and \D\ random variable di with values 
taken uniformly at random from {0, 1}. 

- A fixed function Cq that for each non output qubit i (1 < i < m — n) computes the angle 
of the measurement of qubit i to be sent to Bob: 

Cg : {1, • • • , ("^ - ^)} X ^ X A X {0, 1} X {0, 1} x {0, 1}™-" -^ A 

(i, (pi, Oi, n, Xi, S) ^ {-lf'^'f-H^)(Pi + (Ej:iG7VG{/(i)) ^i)^ + 0i+ riTT 

where Xk for n + 1 < k < m and s^ for any non-defined value of k are set to zero. 

• Initial Step 

- Alice's move: Alice sends Bob the graph G and sets all the value in s to be 0. Alice encodes 
the /-qubit input state as 

|e) = A^iZ(0i) . . . ® A^'Z(eO |/) 

and positions them among the first n qubits. She then prepares the remaining qubits in the 
following form 



yie D \d,i) 



+^»+E,piv^(i)nl5'^j'^ 



jeiVQ(i)ni5"J' 



Then Alice sends Bob all m qubits in the order of the labelling of the vertices of the graph. 

- Bob's move: Bob receives m single qubits and entangles them according to G. 

• Step i : 1 < i < {m — n) 

- Alice's move: Alice computes the angle 5i = CG{i,(pi,0i,ri,s) and sends it to Bob. 

- Bob's move: Bob measures qubit i with angle 5i and sends Alice the result bi. 

- Alice's move: Alice sets the value of Si in s to be bi © r^. 

• Step i : m — n+l<i<m 

- Bob's move: Bob sends qubit i to Alice. 

- Alice's move: Alice applies X'^f-H') Z^^■■'^'^'G(fU))''^ Z{ei) to qubit i. 
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not affect the state of the other qubits. However, if the dummy qubit is in the state |1) then the 
entanghng operation will introduce a Pauli Z rotation on all the neighbouring qubits in G. Hence 
a qubit i ^ D will be affected by the operator nieAfG(j)nZ) ^'^^ ■ However, in the initial step, Alice 
already applied the operation Wji=.NaU)nD ■^'^^ '^^^'^ ^^^ prepared qubits and therefore all qubits 
i ^ D are in the desired state |+6»i), since Z operator is self-inverse. Moreover all the dummy qubits 
are disentangled from the rest of qubits and are measured in a random basis with no consequences 
for the part of the computation taking place over the graph G after removing vertices D. D 

Theorem 4. The generic hiding protocol with dummy qubits, Protocol^ is blind while leaking at 
most G. 

Proof. Proof follows along similar lines of Theorem ^ As before let 6'^ = 9i + Trrj. Alice's total 

communication to Bob consists of the initial quantum states, which we can rewrite as +e'_7r 

if the qubit is not a dummy qubit or S_r {|0) , |1)} if it is a dummy qubit, and the measurement 
angles which are set to be 5i = (j)[ + 6[ . As before, the values of 5i are uniformly random, and for 
any fixed values of 5i tracing over all rj, we obtain the initial quantum state for each qubit as either 



1 

2 
if the qubit was not dummy, and 



+e' { +e: 



1 
+ 2 



i|0){0| + i|l>{l|=' 



if the qubit was a dummy. Hence the qubits obtained by Bob are always in the maximally mixed 
state and are not correlated with each other. D 

5 Generic Graph 

During a hiding protocol Bob learns the graph of entanglement, G, however it was shown in [3] that 
it is possible for Alice to choose a family of graphs corresponding to what were termed brickwork 
states such that blindness of the angles, as defined before, will permit Alice to hide the unitary 
operator that the protocol is implementing, revealing only an upper bound on the dimensions of 
the circuit required to implement it. The key element to achieve this is the use of those universal 
resources for MBQC [25] that are generic, hence revealing no information about the structure of the 
underlying computation, except the bounds on the size of input and the depth of the computation. 
Moreover to make the protocol practical from Alice's point, it is desirable to restrict the class of 
measurement angles, so that the required class of random qubits prepared by Alice is also restricted. 
Hence we are restricted to achieving only approximate universality, however this is still equivalent 
to the quantum circuit model with a finite but universal set of gates. Note that exact universal 
blind quantum computing could be achieved similarly if Alice could prepare separable single qubit 
states \+g) with 9 chosen randomly in [0, 27r) and if Bob could make any measurement with angles in 
[0, 27r). However, such a model requires Alice to communicate random real angles to Bob, and hence 
such a setting is unattractive from a communications resources point of view. However, similar to 
the quantum circuit scenario, by the Solovay-Kitaev theorem, a finite set of angles (for instance 
a set that corresponds to Hadamard and ^-Phase gates) can be used to efficiently approximate 
any single qubit unitary operator]^ For the rest of this paper we will restrict our attention to 

®More precisely, the Solovay-Kitaev theorem states that if the subgroup generated by some subset of SU{2) 
operators is dense in SU{2), then the approximation converges exponentially quickly to any element of SU{2) in the 
number of these operators from a smaller set one uses to approximate. 
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approximate universality and we use the fact that a large family of graph states are approximately 
universal if one restricts the set of angles to be in the set {0, ±7r/4, ib7r/2} [26]. We give two such 
examples below. 

Definition 3. A brickwork state Qnxm, where m = 5 (mod 8), is an entangled state ofnxm qubits 
constructed as follows: 

1. Prepare all qubits in state |+) and assign to each qubit an index {i,j), i being a row (i G [n]) 
and j being a column (j € [m]). 

2. For each row, apply the operator CTRL-Z on qubits {i,j) and {i,j + 1) where 1 < j < m — 1. 

3. For each column j ^ 3 (mod 8) and each odd row i, apply the operator CTRL-Z on qubits 
{i,j) and (i + l,j) and also on qubits {i,j + 2) and {i + l,j + 2). 

4- For each column j = 7 (mod 8) and each even row i, apply the operator ctrl-Z on qubits 
{i,j) and {i + l,j) and also on qubits {i,j + 2) and {i + l,j + 2). 

We will refer to the underlying graph of a brickwork state as the brickwork graph and denote it with 
the same notation as Qnxm, see FigureY^ 




Figure 1: The brickwork state, Qnxm- Qubits are arranged according to layer x and row y, corre- 
sponding to the vertices in the above graph, and are originally in the |+) = ^ |0) + -7= |1) state. 
Controlled-Z gates are then performed between qubits which are joined by an edge. 



Theorem 5 (Universality [3]). The brickwork state Qnxm is universal for quantum computa- 
tion. Furthermore, we only require single-qubit measurements under the angles {0, ±7r/4, ib7r/2} 
to achieve approximate universality, and measurements can be done layer-by-layer. 

Let us denote vertices of a brickwork graph Qnxm by {i,j) (where 1 < i < n,l < j < m), then 
it is easy to verify that the unique flow function of Q is defined by: 

fg{ii,j)) = {i,j + l) 

That is to say, the flow of each vertex in the graph is from its immediate left neighbour in the same 
row. The corresponding partial order -<g is defined as the collection of sets Lj of all vertices in the 
jth column of the brickwork graph 



Lj = {ix,y)\l <x<n,y = j}. 
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Now suppose Alice has in mind a unitary operator U of size 2" x 2" and the n-qubit input state 
\I). Due to Theorem [5] there exist an integer m and angles {4'i,j}i<i<n,i<j<m £ A such that the 
measurement pattern with angles {(pi,j} over the brickwork state Gnxm, where the first n qubit are 
set to be in the state |/), approximates U \I). Therefore the last n qubits after the measurements 
of the first m — n qubits and application of the corresponding corrections induced by flow are in a 
state which can be made arbitrarily close to U \I). We can simply adapt the generic hiding protocol 
to implement this measurement pattern blindly. 

Protocol 4 Brickwork State Universal Hiding Protocol with Quantum/Classical Input/Output 
Replace G with Gnxm and follow the steps of Protocols [T] or [21 



Theorem 6. Protocol\^ is blind while leaking at most m and n. 

Proof. The proof is exactly the same as the proof of Theorem [2] and therefore the angles of mea- 
surement (pi remain secret from Bob. Moreover, the universality of the brickwork state guarantees 
that Bob's knowledge of Gnxm does not reveal anything about the underlying computation except 
n and m. D 

Note that at every step of protocol, Bob's quantum state is one-time padded with Alice's secret 
key. During the execution of the protocol the true value of Si are unknown to Bob since they have 
been one-time padded using the random keys ri at each step. Due to the flow construction [2Tj, each 
qubit (starting at the third column of the brickwork state) receives independent Pauli operators, 
which act as a full quantum one-time pad over Bob's state. In the case of quantum input they are 
all already one-time padded using secret keys Xi and 0j, and since the first layer performs a hidden 
Z-rotation, it follows that the qubits in the second layer are also completely encrypted during the 
computation. Similarly, the classical input are one-time padded using only 9i keys. Finally for the 
classical output, random keys r^ are enough to classically one-time pad the outcome measurements 
of the final Pauli X measurements over the last n qubits containing the classical outputs. 

Note that in practice if Alice has the description of a unitary V such that V{®i |+)) = |/) 
then trivially a hiding protocol that blindly computes UV over the input states ®i \ +) will prepare 
the desired output state of the form U \I). Therefore for such a scenario Alice can follow the step 
of the Protocol [1] with classical input without having to prepare the encoded state X^^Z{9i) 
. . . (g) X^^Z{dn) \I) herself. However, we have presented the full protocol for an arbitrary, possibly 
unknown, quantum input state, since the general scheme proved useful for dealing with input 
supplied by a third party [7] . 

Next we introduce another generic family called dotted- complete graph states which will be 
necessary for our new method of verification. The basic idea behind this new universal resource 
state is that it can be partitioned blindly into smaller universal resource states, one of which will 
be used for the computation, while the others will be used as traps for verification purposes (see 
later). To begin with, we need to introduce the graphs which we will use, and prove that they have 
some special properties. 

Definition 4. We define the operator ~ (G) on graph G to be the operator which transforms a 
graph G to a new graph denoted as G by replacing every edge in G with a new vertex connected 
to the two vertices originally joined by that edge. Let Kjsf denote the complete graph of N vertices, 
we call the quantum state corresponding to the graph K^ the dotted-complete graph state denoted 
with /Ctv- We denote the set of vertices of Kj^ previously inherited from K^ as P{Ki^), and denote 
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the vertices added by the ~ () operation by A(K]^). The number of the vertices in the K^ graph is 
then equal to N{N + l)/2. 





K. 



K. 



Figure 2: An example of the relationship between a complete graph i^4 and the corresponding 
dotted-complete graph K^. The vertices in black in K^ denote the set P^K^), while the white 
vertices correspond to A{K4). 

The next definition and lemmas will be used in manipulation of dotted-complete graph states. 

Definition 5. We define the bridge operator on a vertex v of degree 2 on graph G to be the operator 
which connects the two neighbours of v and then removes vertex v and any associated edges from G. 
We define the break operator on a vertex v of graph G to be the operator which removes vertex v and 
any associated edges from G. Let G be a graph on m vertices. Then we say that G is n-universal, 
for n < m, if and only if any graph of n vertices can be obtained from G through a sequence of 
bridges and breaks. 

Lemma 1. Kjy is A^-universal, and the bridge and break operations used to obtain a target graph 
need only be performed on vertices in A{K]\f). 

Proof. Given any graph G on N vertices, associate each vertex Ui in G with a vertex Vi in P{K^). 
Each pair of vertices {vi,Vj) in P{K]\}) is connected through an intermediate vertex of degree 2 
in A{Kn). Thus by bridging over the intermediate vertex if Ui and Uj are joined by an edge and 
breaking the intermediate vertex otherwise, Ki\f reduces to G. As this is true for all graphs G on 
A'" vertices, Kj^i is A^-universal. D 

Lemma 2. Given a partitioning of the vertices P{K]\f) into n sets {Pi} containing Ni vertices 
respectively, by applying a sequence of break operations only, it is possible to transform Kn into n 
disconnected graphs ki such that each one of them are of the form K^. and P{ki) = Pi. 

Proof. As the vertices P{Kn) are associated with a corresponding vertex in Ki\f, the vertices of 
Kn can by partitioned into the sets {Pi}. As K^ is the complete graph the vertices within each 
partition Pi form a clique. Thus by removing edges between the partitions the resulting graph is 
composed of n disconnected graphs {ki = K^^} such that the vertices in ki are the vertices in Pi. 
As removing an edge before applying the ~ () operator is equivalent to applying a break operation 
after the ~ () operator there exists a corresponding sequence of break operations, such that the 
resulting graph is ~ {{ki}) = {ki}. As fej =~ (/cj), it follows that P{ki) = Pi and since ki = K^. 
then ki = K]\[. as required. D 

Lemma 3. Given a graph K^, by applying break operators to every vertex in P{K]\f) or A{Kn) 
the resulting graph is composed of the vertices of A{Kn) or P{K]\f) respectively and contains no 
edges. 
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Proof. As the ~ () operation only introduces vertices connected to vertices in P{Kn), every vertex 
in A{K]\f) shares edges only with vertices in P{K]\j). Thus when the vertices in P{Kf^) and their 
associated edges are removed by the break operators, the vertices in A{Kn) become disconnected. 
Similarly, since ~ () removes all edges between vertices in P{Kn), hence every vertex in P(i^jv) 
shares edges only with vertices in A{Ki\i). Thus when the vertices in A(Kfyf) and their associated 
edges are removed by the break operators, the vertices in P{Kn) become disconnected. D 

We now extend these results to graph states. 

Lemma 4. Given two graph states iV'Gi) c^^^ I^G2) corresponding to graphs Gi and G2 respectively, 
if it is possible to obtain G2 from Gi through a sequence of bridge and break operations, then it is 
possible to obtain \1pG2) ffom \ipGi) through a sequence of Pauli measurements and local rotations 
about the Z axis through angles from the set {0, f , vr, ^}. 

Proof. By measuring any qubit in a graph state with Pauli Z operator, we obtain a state equivalent 
up to local Pauli Z corrections to the graph state obtained from the graph when that vertex and 
its associated edges are removed. To see this, we consider the operations this qubit undergoes: It 
is first prepared in a state |+), then interacted with its neighbours via control-Z gates, and then 
measured in the Z basis. As the measurement commutes with the entangling operation, this result 
is identical to the case where the control-Z gates are applied to the measured eigenstate of Z. Thus 
when the complete sequence of events is taken into account, this operation is equivalent to the 
identity when the measurement outcome is 0, and equivalent to local Pauli Z operators applied to 
the neighbours of the measured site when the measurement outcome is 1. This is then the graph 
state equivalent of the break operation defined on the associated graph. 

If a vertex is of degree 2, then measuring the associated qubit with the Pauli Y operator 
yields the graph state corresponding to the graph obtained by applying a bridge operation to that 
vertex, up to local Z- rotations through an angle ib|. To see this, we again consider the sequence 
of operations the qubit undergoes: It is prepared in the state |+), interacted with its neighbours 
and then measured in the Y basis. Immediately prior to measurement, the net operator applied is 
-y=\0) 0l+ -y=\l) Zi ^ Z2, where the subscripts 1 and 2 denote the neighbours of the measured 
qubit. Thus if the measurement result is then this is equivalent to directly applying the operator 
g«4 1® 2 ^Q ^]^Q neighbouring qubits, whereas if the measurement result is 1 this is equivalent to 
applying the operator e~*4 1® 2 ^q these qubits. Since the control-Z gate can be written either as 
gif (n-z®n-i®z+z®z) Q^ g-i|(i-z®i-i®z+z®z)^ ^-^^ ^g^^^ ^^ ^-^^ neighbouring qubits is equivalent to 

a control-Z, up to local Z-rotations by ^ (for a measurement result of 0) or — | (for a measurement 
result of 1). 

For a more detailed discussion of the effect of Pauli measurements in the measurement based 
model, the reader is referred to [27]. D 

Theorem 7 (Universality). The dotted- complete graph state /Cat is universal for quantum compu- 
tation. Furthermore, we only require single-qubit measurements under the angles {0, ±7r/4, ib7r/2} 
and in the Pauli Z basis to achieve approximate universality, and measurements can be done layer- 
by-layer. 

Proof. Due to lemmas [T] and |4j by choosing N big enough, we could construct the brickwork state 
Gnxm from }Cn using only Pauli measurements. Hence from TheoremNwe obtain the universality of 
dotted-complete graph states and approximate universality with only single qubits measurements 
under the angles {0, ±7r/4, ib7r/2} (which includes the Pauli Y measurements required to implement 
bridge operations), and the Pauli Z basis measurements required to implement break operations. 

D 
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From this result we can construct a new universal hiding protocol based on dotted-complete 
graph states, as given in Protocol [S] Interestingly, in the case of classical input and output this new 
protocol does not even reveal the circuit dimensions, but instead a single integer which is an upper 
bound on the number of qubits required to implement the computation in the measurement-based 
model. 

Protocol 5 Dotted-Complete Graph State Universal Hiding Protocol with Quantum Input/Output 

• Alice's resources 

- Parameter A^ such that the desired computation could be obtained from the state /Cat after 
a sequence of break and bridge operators (Theorem ul). The labelling of vertices are in such 
a way that the first n qubits are input and the last n qubits are output. 

- The dummy qubits position, set D, is set to be the position of all the qubits that are 
required to be Pauli Z measured for performing the break operators. 

- A sequence of non-output measurement angles, (/> = (0j)i<i<(m-n) with (f)i ^ A where (/)i = | 
for alH £ -D and also for all the qubits that are required to be Pauli Y measured to perform 
the bridge operators. 

- The rest of the resources are the same as Protocol |3l 

Follow the steps of Protocol [s] where G is replaced with K^- 



Theorem 8. Protocol^ is blind, while leaking at most n and N. 

Proof. As Bob entangles according to /Cat, clearly the parameter N is leaked. Additionally, in the 
case of quantum output. Bob must be instructed how many qubits to return to Alice, and hence 
knows n. However, fixing these parameters, due to Theorem [2] all the measurement angles including 
the measurements for the bridge operators are blind to Bob. Similarly, from Theorem |4] we have 
blindness for the measurement corresponding to the break operators. Together these guarantee 
the blindness of the operations required to prepare a brickwork state from }Cj\[. Finally Theorem [6| 
proved the blindness of the remaining measurements performed on the prepared brickwork state. D 

6 Verification 

This section deals with another property of the hiding protocol called verification. This property 
requires that Alice can verify with high probability whether Bob has followed the instructions of 
the protocol and hence if the quantum or classical output state is indeed in the correct form, or 
whether there has been a deviation and she should therefore reject the output state. The main idea 
is to exploit blindness so that Alice can expand the protocol to include trap qubits where Alice 
knows in advance the classical outcome of these specific measurements (i.e. the correct message 
from Bob for these measurements), where the blindness ensures that the position of these traps 
remains hidden to Bob. At the end Alice will accept the quantum or classical output only if Bob 
has produced all of the expected outcomes for these trap qubits measurements. The subtlety in 
verification is to prove that the accepted quantum or classical output is indeed correct. 

It is essential that Alice keeps the position of these trap qubits unknown to Bob, so that 
he cannot attempt to interfere with the actual computation of U while keeping the trap qubits 
untouched. We will present a protocol where every qubit of the underlying graph could potentially 
be an isolated (unentangled) trap qubit in an unknown state l+e) for ^ G ^. In order to do so, it is 
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enough to prepare all the neighbouring vertices of the trap qubit as a dummy qubits, hence these 
dummy qubits together with the trap qubits remain disentangled from the rest of the graph during 
the preparation stage. Building on this simple construction, by adding more traps and adding error 
detection elements, we will present the a final protocol in which the probability of not detecting an 
incorrect outcome is exponentially small. 

In order to first demonstrate the main idea of this method of verification, we ignore the uni- 
versality property and only later will we present a concrete universal blind quantum computing 
protocol with the verification property. Hence to obtain a generic hiding protocol with a random 
unknown trap it is sufficient to use Protocol [3j where Alice chooses a random position t to be an 
isolated trap qubit (Protocol [6]) . 

Protocol 6 Generic Hiding QC For Unitary with Dummy, Trap, Quantum Input and Output 

• Alice's resources 

- Graph G over m vertices and a random position t among the vertices of G. 

- The rest of the resources are the same as Protocol [3] where (pi = for i = t and i £ D where 
D is the set of all neighbours of position t in the original graph to create an isolated trap 
qubit at position t. 

• Follovif the steps of Protocol [3[ 

• Accept/Reject 

- After obtaining all the output qubits from Bob, if the trap qubit, t, is an output qubit, 
Alice measures it with angle 5t = 6t + rtn to obtain bf. 

- Alice accepts if ht = rt- 



Theorem |4] directly implies that Protocol [6] is blind and the position of the trap qubits t remains 
unknown to Bob. Recall that at each stage i only qubit i is measured. We present some intermediate 
definitions before formalising the definition of verification. All the protocols presented so far describe 
the expected behaviour of Alice and Bob in a hiding protocol. Since we are concerned with the 
secrecy of Alice's resources we can assume that Alice always follows the steps of the protocol. In 
fact after the initial step when Alice draws all the random variables 9i and r^ her behaviour, for a 
fixed run of the protocol, is deterministic. This means that at each step the next move of Alice is 
determined completely by the past, however a malicious Bob might deviate in any way he desires. 
We will define a run of protocol to be honest (Bob has behaved as expected) or correct (the output 
is correct despite Bob's deviations) based on the outcome of all measurements and the quantum 
output state if it exists. 

Recall that in a generic hiding protocol with quantum input and output the messages sent by 
Bob to Alice depend on a collection of outcome measurements, Sj E {0, 1}. In fact Bob will send 
the outcome value hi and then Alice, depending on rj, will reset them to their corrected values Sj. 
In what follows we will deal with the corrected outcome measurement that is Sj. Similarly at the 
end of the protocol Bob will send Alice some quantum output state in the output Hilbert space 
T-Lo that needs to be corrected depending on all the measurements outcomes. In what follows we 
consider the corrected quantum output state p. Note that the values of Si and p depends on Alice's 
specific random choices and also Bob's general strategy of deviation. We treat this information as a 
single density operator to deal uniformly with both classical and quantum output. Finally in order 
to consider the most general deviation that Bob can perform during a run of protocol we consider 
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a collection of unitary operators acting each at a stage of the protocol on the private qubits of Bob 
and all the other qubits and classical bits sent by Alice to Bob. 

Definition 6. Consider a particular run of a generic hiding protocol, where all the following pa- 
rameter are fixed: Alice's angles of measurements (p = {4>i)i<i<im-n)j Alice's random variables 
X = {xi)i<i<n, r = (?"i)i<i<(m-n) ^'^'^ ^ = (^j)i<i<m; AUcc's input State \I); The number of Bob's 
private qubits B; Bob's deviation unitaries at each stage of the protocol U = {f/i}o<j<m+i acting 
on all quantum and classical messagesyX We denote the outcome density operator (of all classical 
and quantum messages sent by Bob to Alice) as follows: 



se{o,i}loi" 



s 



where v ranges over Alice's choices: (p,x,r,6; and j ranges over Bob's choices: B and U; and 
s ranges over all possible values of the corrected values {si} of the measurement outcomes {bi} 
sent by Bob to Alice; and pi • is the reduced density operator for the non-measured qubits with 
the corresponding correction operators for the measurement outcomes s has been applied. We call 
the outcome density operator Boii'), obtained from a run of the protocol where all Ui are set to be 
the identity operator, the exact outcome density operator. That is the outcome density operator 
obtained from a run where Bob exactly follows the step of the protocol. 

Note that if we were dealing only with deterministic pattern over a connected graph state 
then the outcome density operator could have been simplified to a fixed pure state of the output 
qubits, independent of the measurement outcomes. Moreover in such a scenario the probability of 
each branch of the computation would have been the same. However the above definition aims to 
capture any general deviation by Bob, that could effect the determinism and probability of the 
branches. Also since we will have dummy and trap qubits then not all the possible branches will 
be equally probable. The outcome density operator, depending on all the random choices of Alice 
and Bob, can be classified as follows belo'v 



Definition 7. We say the outcome density operator Bj{u) is honest if it is indistinguishable from 
the exact outcome density operator: 

\\Bj{u) - Bo{u)\\tr = 0. 

It is called correct if the quantum output state and the trap outcome measurement is indistinguish- 
able from the corresponding value of the exact outcome density operator: 

||Tri^o,i^t(-Bj(z^)) - TTi^o,iM^o{t^))\\tr = 0. 

It is called lucky if bt = rt and finally it is called incorrect if it is lucky but the quantum output 
state, Tr,i^!ou{t}}iBj{i')), is orthogonal to the corresponding subsystem of the exact outcome density 
operator. Note that for the classical output scenario, any bit-flip implies orthogonality. 

Alice should not care if Bob's deviation leads to a correct outcome density operator, as the final 
quantum or classical output is in the correct state. Therefore in the definition of a verifiable blind 
quantum computing we aim to bound the probability of Alice being fooled i.e the probability of 

^Note that Bob can deviate before the first measurement (step J = 0) and after the last measurement step 
{i^m + 1). 

*We will not use all the mentioned category but we believe pointing out the subtle differences could be beneficial 
for understanding the main definition. 
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Alice accepting an incorrect outcome density operator. Any outcome density operator either results 
in St 7^ rt or is contained within the subspace of correct and incorrect outcome states, which could 
be then probabilistically projected into a correct or an incorrect state. Hence intuitively, a protocol 
is defined to be verifiable if the corresponding outcome state is far from any incorrect outcome 
states. Following the approach of [28], we first define the notion of correctness rj 

Definition 8. Let Pincorrect ^^ ^^^ projection onto the subspace of all the possible incorrect outcome 
density operator for the fixed choice of Alice's random variables denoted with u, that is the following 
projection 

^incorrect = (^ ~ \^ ideal) i^ideall) ® Vt ) Vt I 

where |>I'J'^ga;) {"^ideail ~ ^''i^{Ou{t}}(-6o(i^))- Let p{v) be the probability of Alice choosing random 
variables parameterized by u, that is the probability of choosing a position i among all possible 
vertices of the graph to be the trap position (denoted as a random variable t) and the probability 
of choosing random variables (p,r,x,6 (as defined in Definition^. Given Q < e < 1, we define a 
protocol to be e- verifiable, if for any choice of Bob's strategy (denoted by j) the probability of Alice 
accepting an incorrect outcome density operator is bounded by e: 

1v{Y,V{^)P:ncorrectBj{v))<e. 

V 

Theorem 9. Protoco/ 6^ is (1 — i^^^^:^ -verifiable in general, and in the special case of purely classical 
output the protocol is also (1 ) -verifiable, where m is the total number of qubits in the protocol. 

Proof. At the beginning of the protocol, Alice prepares the input qubits in the following form: 

\e)=X''^Z{ei)0...0X''^Z{9i)\I) 

and positions them among the first n qubits. She then prepares the remaining qubits in the following 
form (where D is the index of the dummy qubits) 



\/ie D \di) 

V^0^ U,eNai^)nDZ'^\+o. 



+6»,+Ejg]V(3{i)nD d-j'^ 



and sends all m qubits in the order of the labelling of the vertices of the graph, we represent the 
whole m qubit state as \M). We can treat all the measurement angels 6i as orthogonal quantum 
states \6i). Note that for Protocol p^ all the random variables t,x,r,9 are independent and uniform. 
For a fixed choice of Alice's random variables and Bob's strategy denoted indexed by i' and j 
respectively, the outcome density operator Bj{i') can be written in the form of the output of a 
circuit computation as depicted in Figure [3j 

While in the actual protocol, at step i, Alice computes 5i as a function of ■s<j which in turn is 
calculated from 6<i and r<j, we note that we can rewrite the circuit from Figure |3] in such a way 
that the values 5i are part of the initial state, without affecting causality as they do not interact 
with anything until after the corresponding 6j has been generated. In other words, despite the fact 
that the protocol seems to be interactive, since the interactions is only required to compensate for 
the correction operators, one could instead consider a post-selected scenario to simplify the protocol 



^Recall that for simplicity we have assumed that the computation is deterministic and the input is in a pure state, 
and hence the ideal output will necessarily be a pure state. This restriction to pure states mirrors the approach of 
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Figure 3: A run of protocol together with Bob's deviation represented as Ui operators. The en- 
tanghng operator, Eg, is the collection of all the required ctrl-Z operators corresponding to the 
graph edges. Note that in Definition |6] we also considered an operator Uq representing Bob's initial 
deviation. In the figure, for simplicity, we have commuted Uq and combined it with Ui. Trivially, 
if all the Ui operators are set to be identity the above circuit converges to the exact run of the 
protocol, where a measurement in the basis ji^J is implemented using the controlled Z-rotation 
followed by a Hadamard gate and finally a Pauli Z basis (computation basis) measurement on the 
corresponding qubits. 



to a single round. The assumption that all 5i are sent at the initial step will allow us to reorder 
all the operators U to the end to obtain the new circuit shown in Figure [^^ Note that Figure [4] 
is not an actual run of the protocol, it is a mathematical equivalent of Figure [3] where the values 
of bi have been fixed to permit us to commute the operators as depicted. However in the following 
proof we have considered any general deviation performed by Bob, that is to say we consider any 
arbitrary Ui operators. 

In the rest of this proof we will use t to represent both the random variable and also the position 
of the trap qubit. We denote by fi = U!^_^U!^_^_i...U'i the overall action of Bob's deviation and 
by "P = ( ®i<i<m-n HiZi{6i))EG the action of the exact protocol prior to measurement. Here, and 



in Figure 
by 1^^ 



we have taken U^ = ViUiVJ, where Vi = ^ 



i+l<j<m—n 



HjZj{6j). Further we denote 



=^^i<i<-m 1-^^) ^i<j<m-n \^j) ^^6 joint State of the initial (input, dummy and prepared) 
qubits sent by Alice to Bob and the classical angles 6i, and take P± = I — V 1^*^) (^'^l V' to be the 
projection onto the subspace of incorrect output states. Hence 



pv 

incorrect 



where |r/^) 



\rt)i for 1 < t < m — n and |r/^) = \+et)t ^°^ m — n + 1 < t < m. Here we use the 



'^"Note that Theorem l2| guarantees that each Si is independent of all hj whether or not Bob follows the protocol, 
as they are uncorrelated with the state of the system he receives from Alice. 
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Figure 4: The fact that any Uj in Figure [3] is independent of aU (5i<j, ahows us to commute f/j to 
the end of the circuit as shown above. 



subscript on the ket to identify the relevant qubit. Thus we have 



Tr(P, 



incorrect 



B,{u)) = TV(P^ |7?n {Vt\ i^ra^'' |0) (0|) l^'') i^'^DV^^^)) 



Since any unitary operator can be written as hnear combination of Pauh operators we have f7 = 
^j aiai, where ^^ a^a* = 1 and ai is a Pauli operator acting on the joint quantum state of Bob's 
private qubits and l^''). Therefore the above equation can be written as 



TriPt^,,,,,^ B,{y)) = Tr P^ C3 Wt) {v^A J^a.a* a.P((C3^ |0) (0|) C5 \^n (*1)PV, 



*j 



Tr 






«.«* Px ® |7?r) (r?ri (a,P((»^ |0) (0|) ® \^>-) {^>-\)V^ 




In order to determine which at terms have a non-zero contribution in the above sum after the 
projection operator is taken into account, it will be necessary to look at the structure of each 
such Pauli operator. To this end, we will denote by o"j|j, the action of Ui on qubit x, and hence 
o"i|x £ {IjXjY, Z}. For simplicity we assume each 5i is encoded across 3 qubits (since there are 
only 8 possible angles). Thus, we have 1 < x < {m + B + 3{m — n)), where 1 < x < m identifies 
qubits received from Alice, m + 1 < x < m + B identifies qubits in Bob's private register, and the 
remaining x values identify the qubits containing 6i. Without loss of generality, as Bob's private 
register is assumed to start in the state |0) we need only consider a decomposition in terms of Cj 
in which (Tji^. G {/, X} for all tti + 1 < x < m + B, since Z \0) = / |0) and y |0) = iX |0). Similarly, 
without loss of generality we can take a^^^ £ {I, X} for all m + B < x, since each qubit in the 
register containing the angles {6i} is a classical state (i.e. a computational basis state), and hence 
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up to a global phase the action of Z is identical to that of / and the action of Y is identical to that 
oiX. 

The probability of Alice accepting an incorrect outcome density operator is given by Pincorrect = 
Tr(E^ Pi'^) Pincorrect Bj{u)). TMs Can be calculated via the expression for Tl{P^^^^„^^^ Bj{v)) 
obtained earlier 



Pincorrect 



X]^(^)Tl'(Ancorrect Bj{p)) 



V 



Tr Y.^{v) Y^a,a]P^ ® IryH (^,1 ^.^((^"^ |0) (0|) ® \^') (^I)PV, 



i,j \ V 



v)a,a] P^ ® K) (r/ri a,P((®^ |0) (0|) ® \^^) (^1)^+^, J . 

In order to obtain an upper bound for the above expression we make use of sets of indices x 
of qubits such that the action of Oi at that position, diw^ is a particular Pauli operator, which we 
denote as follows: 

Ai = {x s.t. cjju = / and 1 < x < ra} 

Bi = {x s.t. cjju = X and 1 < x < m} 

Ci = {x s.t. cjju = Y and \ < x < ra} 

Di = {x s.t. cjj|^ = Z and 1 < x < m}. 

Note that in the above we restrict attention to the set of qubits originally sent from Alice to Bob 
(which is why 1 < x < tti), and disregard the action on Bob's private qubits. Additionally, we will 
make use of a superscript O to denote subsets of the above sets subject to the constraint that x is an 
output qubit {m — n < x). Thus, for example, -DP = {x s.t. a^^ = Z and m — n + 1 < x < m}. We 
note that only ai and aj operators for which Tr{P±aiV{{'^^ |0) (0|) (g> |^) {^DVaj) / contribute 
to Pincorrect, and with the above definitions in place, we can express this succinctly as the condition 
that \Bi\ + \Ci\ + \Df\ > 1 (denoted as i £ Ei) and \Bj\ + \Cj\ + \D^\ > 1 (denoted as j £ Ej). That 
is to say, one or both of the following has happened: ai {aj) has produced an incorrect outcome for 
one or more of the measurement results and hence \Bi/ Bf\ + \Ci/Cf\ > 1 {{Bj/B'?] + \Cj/Cj^\ > 1) 
or ai (aj) acts non-trivially on the quantum output and hence \Bf\ + |CP| + \Df\ > 1 {\B^\ + 
\C^\ + \D^\ > 1). Thus after expanding the random variable u we have 



Pincorrect S 

p{e)p{t)p{r)p{x)aia* P± ^ Iv^ (r/^l a,P((^^ |0) (0|) l^'^) (^^PV,- 

We note that averaging over r, x and 9 for all qubits other than the trap qubit yields the 
maximally mixed state of the system sent from Alice to Bob (both the initial qubits and the 
angles 6i) as per the proof of blindness, and so the reduced density matrix for that subsystem is 
proportional to the identity. Therefore after the action of the protocol (V) we obtain the following: 
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Pincorrect -^ / ^ 



< V Tr 5] p(^tMtMn)a.a*Px |r?n (^r 



ieEijeEj ^t,et,rt 



<T. ((®^io)(oi)^i7?n(^ri^i'5t)(<5ti® ^ 



Tr(/) 

where I is the identity matrix of dimension 2^™~^"~^ if t < m — n and dimension 2^™""^""^ 
otherwise. Here, for ease of notation, we include a system in state \5t) {5t\, even though Bob does 
not receive an angle St for t > m — n, m which case we will define the system to have only one 
dimension. Pauli matrices have trace zero, and hence the term inside the summation goes to zero 
unless Cjij. = aj\x for all x < ttt, other than x = t. Further, note that Uju G {/, X} for any qubit x 
in Bob's private register or the register containing 5i, and Tr{a^^ \i) {i\ ctj^^) = unless a^^ = aj^^ 
for i G {0, 1}, and hence only terms for which cjju = cJjU on both Bob's private qubits and the 6i 
register contribute to the summation. Thus we have 



Pincorrect < ^ '^^( X] Pi^t)p{t)p{rt) Oiitt* (r/f | 0-j|j jr/H {Vt\ <^j\t H) ® \^t) {St\ ® 
ieEiJeEj tflt,rt 

'^i\B{®^ |0) (0|)ai|B ® P±{(yi\A ;^r7yy f^i|A)) 
= E Tr( 5] p{et)p{t)p{rt) a,a] (r/fl a,|i |r/n (r?ri <y,\t H) ® \bt) (5t| ® 

i&Ei,j&Ej t,et,rt 

where cTjia, = cjjuVx ^ t and where A represents the subsystem of all qubits sent by Alice except the 
trap qubit. Finally, using the fact that Yle r* '^^( (''^tl ^j IVt) iVtl ^i \Vt) ) — ^ unless a^ = aj\t, we 
arrive at the conclusion that the only terms which contribute to pincorrect are those where ai = aj. 
Thus we have 

Pincorrect < J^ X] '^'^ X] l"»l^( ^^^1 ^i\t \Vt))'^ ® \^t) {St\ ® Plicr^A T^-JJ- CJj|^) 
^ idEi \tfit,rt ^^ ' J 

^ !«;„ E Tr ( E l"^l'( (^ri ^^\t Wt)A Tr( |<5,) (<5,| )Tr U^ ^ a.^^ 

i&E, \tfit,rt ) \ \ ) 



1 



\^ X^ l^..|2^/r,^ 



16m ^-^ \ ^^-^ 

i€Ei \tfit,rt 



a* I {{Vt\(^i\t\'nt)) 



2 



E l"*n E {'<nt\<^i\t\vt)f + E {'\nt\'^i\t\nt 



16m ^^-^ 

i&Ei \t<m—n,9t,rt m—n<tfit,rt 
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Y^Z]l«*lM Yl iirt\t^i\t\n)tf+ Y. {{+Ot\t^i\t\+et)t^^ 



!- Y, \^^\' ((i6|^.M?l + 16| A/A""!) + (8| A""! + 8|Cf I + 16|^?|)) 



16m 



^5]|a.P(2|^.|+2|A/A°l + lA^I + |C^fl)- 



2m 

i&E; 



This can be further simphfied, since |Aj| + |A| + IQI + I A| = in, giving 

P^ncorrect < l^Yl I"*'' (^"^ " ^d^^l + l^il + I A^l) + \B?\ + |Cf |) 
i£Ei 

^iEl"^l'(2"^-|^d-|^^|-2|A°l) 
< V |aiP(2m- 1) 

i(^Ei 

2m 

for the general case. However, for the specific case of only classical output, this bound can be made 
tighter by performing the simplification in a different way, since \Bf\ = \C^\ = |-DP| = 0, and 
hence 



Pincorrect ^ 

2m 

ieEi 



^ i E l«^l' (2|^^l + 2| A/A^l + \B?\ - |Cf I) 
ieEi 

- V |a,|2(|A,| + |A|) 
n ^-^ 

i:\B,\ + \C,\>\ 

- V |a,p(m-|A|-|C.|) 



m 

i:|B,| + |C,|>l 



<- E \a^f(m-\) 

nm ^ — * 



m 

i:|B,| + |C,|>l 
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7 Probability Amplification for Universal Verifiable Blind QC 

In the previous section we presented a very simple verifiable protocol where the probability of Bob 
succeeding in making Alice accept an incorrect outcome density operator was strictly less than 1. 
Building upon that simple construction, by adding more traps and making the computation fault 
tolerant, we can make the probability of Alice accepting an incorrect outcome density operator as 
small as required. The central idea is to design a protocol with 0{N) many traps in essentially 
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random locations, where N is the number of qubits in the protocol, to increase the probability 
of any local error being detected. The fault-tolerance is added to increase the minimum weight of 
any operator which leads to an incorrect outcome, and hence further increase the probability of 
detection. Here, and in what follows, the weight of a Pauli operator is defined to be the number 
of qubits upon which it acts non-trivially. First, given such a protocol we show how it amplifies 
the verification parameter. We then present the central contribution of this paper, a new universal 
verifiable blind quantum computing protocol that achieves the probability amplification without 
any such assumptions. 

Theorem 10. Let V be a blind quantum computing protocol on N qubits with Nt isolated traps in 
the states l+e^) at a set of positions T chosen uniformly at random. Assume Nt/N is a constant 
fraction c. Moreover assume that the computation is encoded in such a way that any Pauli error 
with weight less than d will be corrected or an error will be detected. Then the protocol is (1 — D'^- 
verifiable in general, and (1 — c) -verifiable in the case of purely classical output. 

Proof. In order to exploit Theorem [9j we notionally partition the qubits into independent sets 
with one single trap qubit in each set. These partitions amount to extra information about the 
location of the trap qubits, and hence their inclusion can only serve to increase the probability of 
Bob convincing Alice to accept an incorrect state. Thus the bound we obtain with this additional 
information is still an upper bound on the probability of Alice accepting an incorrect output when 
these partitions are unknown. There are Nt many such sets Sx with 1/c many qubits in each set. 
We adopt a similar proof strategy to that used to prove Theorem l9l taking 



^incorrect — P± Qy IVt) \Vt I 
tGT 

as the projection onto the subspace of incorrect outcomes. Similar to the proof of Theorem |9j only 
those Pauli operators contribute to pincorrect where one or both of the following has happened: ai 
has produced an incorrect outcome for one or more of the measurement results 6j or Uj acts non- 
trivially on the quantum output. Now due to the error-detection property of the encoding assumed 
in the statement of the theorem we need to consider only those <tj where \Bi\ + \Ci\ + \D^\ > d. 
Following the steps of the proof of Theorem [9] we reach 

Pincorrect = Tr(^^^ Piy) L^incorrect "j(^)) 

V 

^ E Tr [ J]p(r)|a.pn [Y^p{Bt)p{r,){{rfi\cj,\Mt)y 

i:\B,\ + \C,\ + \DO\>d T t&T \et,rt 

Here we can exploit the structure we have introduced through the sets Sx 

Nt 

Pincorrect < Yl HE K*^)^(^t J^('^t Jl"il^ (C k^l* JO )^ 

i:\Bi\+\Ci\ + \DO\>d^='^ t^,et^,rt^ 
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where t^ is taken to be the location of the trap qubit in set Sx- Rearranging the above and substi- 
tuting in the values of p{tx), piOt^), and p{rt^) we obtain 



Nt 



Pincorrect< J^ l^iPlI Yl ^6^ ("^ll ""ilt. l^DY 

i:\Bi\ + \Ci\ + \DO\>d x=lt^,et^,rt^ 



Note that within each set the position of the trap is chosen uniformly at random and so the 
probability of detection by that trap corresponds to the bound obtained for Theorem |9j Going 
through the steps of the proof of Theorem [9] we obtain 



Pincorrect Si 



E 



Nt 



\OLi 



n ^(2|A.| + 2\D,x/Dg\ + \Bg\ + \Cg\) 



■.\B,\MC,\+\DO\>d x=l 



„Sc/2 



E Ki=n^(--2iogi-iBi.i 



■.\B,\ + \C,\+\DO\>d 



x=l 



2 Vc 



\Cix\ — \Bix/B^J\ — \Cix/Cj_^ 



■"ix I / ' 



where we use the additional x subscript on sets | Aix | , • • • , | -Djx I to indicate subsets of the respective 
sets, subject to the restriction that the elements are also in Sx- For convenience we define Wix = 
\Bix\ + \Cix\ + |D£| and Wi = \Bi\ + \Ci\ + \Df\. Thus we obtain 



Nt 



incorrect S 


1^ loi 

i:Wi>d 


2TT '^ / ^ 

x=l ^ 
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i:Wi>d 


Nt 
2 TT (-, CWix 
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1^ l"i 
i:Wi>d 


Nt 
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i:Wi>d 
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1^ l«i 
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In the case of purely classical output this bound can be improved, since \Bf\ = \Cg\ = \Df\ = 0. 
Going through the same steps with this additional constraint gives 

Nt 

Pincorrect _; / ^ \^i\ III C-Wix } 

i:Wi>d x=l 

<ii-cr. 
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We can now present the final contribution of this paper, a new scheme for blind quantum 
computing which has all the previously described properties: correctness, universality, blindness 
of angles, input, output and computation and more importantly verifiability with exponentially 
small probability of error. Roughly speaking, universality and correctness will be obtained by using 
dotted-complete graph states (similar to Protocol pi) . In order to achieve verification we exploit the 
idea of dummy qubits (similar to Protocoljsl) to create, blindly, out of a dotted-complete graph state 
/CsAT three disconnected smaller dotted-complete graph states /Cat. Then we use two of these graph 
states to create 0{N) isolated trap qubits at random positions (similar to Protocol [6]) . The final 
step is to perform the actual computation over the remaining dotted-complete graph state in such 



a way that the stated property in Theorem 10 is also satisfied. That is, to have the measurement 
pattern encoded in such a way that any Pauli error with weight less than d, will be either corrected 
or detected. Such an encoding exists through the fault tolerant one-way quantum computing scheme 
of [9]. All that is needed is to create a three dimensional cluster state from the dotted-complete 
graph state and proceed with the fault tolerant computation scheme of Raussendorf, Harrington 
and Goyal ^^. 

We first give a concrete protocol for choosing the required parameters for the Raussendorf, 
Harrington and Goyal scheme, given the desired security threshold for the verification, see Protocol 
[7| This will fix the size of the dotted-graph state, A'^, required for the actual computation. However 
as stated above, we will start with a dotted-complete graph state of size 3N and will break it into 
three smaller dotted-complete graph states of size N each, see Figure [5| We will refer to these 
graphs as the white trap graph, the black trap graph and the computation graph. In the white trap 
graph all the vertices in P{K^) will become isolated traps (called white traps) by choosing all 
the vertices in A{K]\}) to be dummy qubits. Similarly in the black trap graph all the vertices in 
A{Kn) will become isolated traps (called black traps) by choosing all the vertices in P(K]\[) to be 
dummy qubits. We have to choose both type of vertices (^(ATstv) and P^K^n)) to be potentially 
isolated traps otherwise Bob could choose to cheat on one type rather than the other one. In order 
to make the position of traps random, Alice will choose a random partition of P{K3i\f) into three 
equal size sets, and will choose appropriate dummy qubits (similar to Lemma [2]) to obtain the 
three disconnected graphs. Note that this will lead to random positions for trap qubits, however 
the positions of trap qubits will be also correlated with each other and we will take care of this 
issue when we present the proof of the verification. The above procedure is formalised in Protocol 
[7] and finally Protocol |8] presents a hiding protocol that is universal, verifiable and blind. 

As a high level overview of the fault-tolerance scheme, qubits are encoded topologically as 
chains of defects (qubits to be measured in the Z basis) of finite thickness and separation (referred 
to as the scale parameter) which trace out a path through the three dimensional structure of the 
resource state. The encoding forces non-detectable errors to be topologically non-trivial chains, 
either connecting or encircling defect chains. Certain Clifford group operations are implemented 
directly by braiding these defect chains. For the remaining operations required for universality it 
is necessary to implement the gate by first distilling a suitable resource state which is then used 
to implement the gate via teleportation (all within the topologically encoded computation). While 
the teleportation can be done with Clifford group operations, the distillation is implemented on 
a concatenated encoding where at each level of concatenation the corresponding distillation step 
is topologically encoded with progressively higher defect thicknesses and scale parameters. At the 
lowest level, however, the operations are performed directly on physical qubits, and so the defect 
chains are only a single qubit in diameter. 

Theorem 11. Asswne Alice and Bob follow the steps of Protocol^ then Alice always accepts the 
output and the outcome density operator is correct. 
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Protocol 7 Measurement Pattern Choice 



In what foUows choosing a measurement pattern means fixing the underlying graph state together 
with the appropriate angles of computation such that the resulting pattern implements the desired 
computation due to universality. Similarly choosing a partial measurement pattern means fixing 
the underlying graph state together with a partial set of angles of computation corresponding to a 
partial computation, where the rest of angles will be fixed in Protocol 8 where this protocol is called 
as a subroutine. Here, we assume that a standard labelling of the vertices of each dotted-complete 
graph state is known to both Alice and Bob. 

1. Alice chooses security parameter d, then transforms the quantum circuit C corresponding to 
her desired computation into (or directly designs) a measurement pattern Mcomp on a graph 
state Qc which implements her computation using the encoding for topological fault-tolerant 
measurement-based quantum computation due to Raussendorf, Harrington and Goyal ^, 
where Qc is taken to correspond to the graph state of the 3D lattice C introduced in [9] with 
sufficient dimensions D^, Dy and Dz to implement her computation using an encoding with 
parameters as follows: 

• Defect thickness d 

• Lattice scale parameter A = 5d 

• Distillation of resource states |^) and \Y) using L = [log3(d)] levels 

• For each concatenation level 1 < i < L the thickness parameter and scale parameter for 
that level are chosen as di = Sd^-i and A^ = A^_i, with di = 1, Ai = 5, d^ = d and 
Al = A. 

2. Alice chooses a partial measurement pattern M/jeduce which reduces the graph state /Ctv to 
the graph state Qc through Pauli measurements (Theorem^, where A^ is the total number 
of qubits in C. 

3. Alice chooses a partial measurement pattern Mp on the graph state KLn such that every qubit 
corresponding to a vertex in A{Ki^) are set to be dummy qubits. Hence all vertices in P(K]\f) 
are isolated traps. 

4. Alice chooses a partial measurement pattern M^^ on the graph state /Cat such that every qubit 
corresponding to a vertex in P{Kn) is set to be dummy qubits. Hence all vertices in A{Ki^) 
are isolated traps. 

5. For the graph K^j^, Alice chooses uniformly at random a partitioning P of the vertices into 
three equal sized sets of vertices Pi, P2 and P3. 

6. Alice takes Mp to be the partial measurement pattern where the required vertices in ^(i^3jv) 
are set to be dummy qubits such that the resulting state is the tensor product of three 
graph states of the three disconnected graphs ki = Kj^j, /c2 = Kp^ and fca = Kat, such that 
P{ki) = Pi. 

7. Alice calculates M, her overall measurement pattern on a graph state corresponding to K^i^ 
by combining the partial pattern Mp with 'M.comp and 'M.Reduce applied to subgraph ki and Mp 
and M.A applied to subgraphs k2 and k^ respectively, to obtain a full measurement pattern. 
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Protocol 8 Verifiable Universal Blind Quantum Computation 



• Alice's resources 

- Alice chooses the pattern M and random partitioning V according to Protocol [7| 

- The dummy qubits position, set D chosen according to Protocol [7} 

- A sequence of measurement angles, (j) = {4>i)i<i<zN {ZN +i) /2 with 0, G A, according to the 
description of Protocol [7| where (/>i = for all the trap and dummy qubits. The ordering of 
the measurements on P(/C3Ar) is chosen uniformly at random subject to the constraint that 
the partial ordering of measurements from Wicomp determined by flow is preserved. Such a 
random ordering is required to hide the position of the trap qubits. The qubits in A{lC^i^) 
are measured first in the order that the relevant edge entry appears in the adjacency matrix 
of /C37V once this random ordering has been taken into account. That is, the site in A[]C^i\i) 
which is joined by edges to i and j in P{}C^n)^ with i < j yd. the random ordering imposed 
on P(X^37v), is measured in position 3A^(i — 1) + j — '^^^ ' . Note that the measurement order 
of the vertices in A should be independent of the computation (and traps), so in the above 
we prescribe one such suitable sequence. This is followed by the measurements of P{K,^n) in 
the randomly chosen order. 

- 3A^(3A^ + l)/2 random variables 9i with value taken uniformly at random from A. 

- 3N{3N + l)/2 random variables rj and \D\ random variable di with values taken uniformly 
at random from {0, 1}. 

- A fixed function C{i, (pi, 6i,ri, s) that for each non output qubit i computes the angle of the 
measurement of qubit i to be sent to Bob. 

• Initial Step 

- Alice's move: Alice sets all the value in s to be and prepares the qubits in the following 
form 

yi£ D \di) 

and sends Bob all the 3A^(3A^ + l)/2 qubits in the order of the labelling of the vertices of the 
graph. 

- Bob's move: Bob receives 3A(3A^ + l)/2 single qubits and entangles them according to 

• Step i: l<i< 3N{3N + l)/2 

- Alice's move: Alice computes the angle Si = C{i,(j)i,6i,ri,s) and sends it to Bob. 

- Bob's move: Bob measures qubit i with angle 6i and sends Alice the result bi. 

- Alice's move: Alice sets the value of Sj in s to be Si + ri. 

• Verification 

Alice accepts if Si = ri for all the white and black trap qubits i. 
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Figure 5: A graphical depiction of Protocol [8j In this figure we replace the Raussendorf-Harrington- 
Goyal encoding in the first step with a simpler computation, as to include a full encoding yields 
graphs too large to reasonably draw. 

Proof. First we note that it is always possible to choose measurement patterns M-p by Lemma[2]and 
^Reduce by Lemma [TJ Further, by the universality of the Raussendorf-Harrington-Goyal encoding, 
it is always possible to choose Mcomp- As the measurements composing Mp, Mjieduce, Mp and M^ 
are composed entirely of Pauli basis measurements, there is no partial time ordering imposed on 
the sequence of measurements, and so the times at which these measurements are made have no 
effect on the outcome of the protocol. Thus for any honest run of the protocol, the result will be the 
same as if the measurements from Mp were made first. By construction this measurement pattern 
splits the graph state into three separate graph states ICn- 

The dummy qubits in Mp and M^ correspond to break operations in their respective graphs 
by Lemma [4] and hence after the initial step all the trap qubits remain unentangled from the rest. 
Recall that for these trap qubits (pi = 0, and since the qubit is prepared in the state l+e^) and 
measured in basis {1+6*^) , 1—6*;)}; the measurement result communicated to Alice is Si = ri for all 
such qubits. Thus, Alice always accepts, satisfying the first criterion. 

By definition Mpeduce transforms the graph state corresponding to Kj^ to the resource state 
necessary to implement Wlcomp- Lastly, measuring according to M.Comp yields the correct output of 
C by the correctness of the Raussendorf-Harrington-Goyal protocol. D 
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Theorem 12. Protocol^is blind while leaking at most N. 

Proof. The proof is directly obtained from Theorem [5} D 



In order to prove the verification property, as stated in Theorem 10, we require that the mea- 
surement pattern is encoded in such a way that any Pauh error of weight less than d will be either 
corrected or detected. We now show that this is true for the Raussendorf-Harrington-Goyal scheme 
although this is already implicit in their paper ^9j, we make it explicit here for completeness. In 
what follows, we take C to be the 3D lattice corresponding to the resource state used in |9]. 

Lemma 5. Let Mc be a measurement pattern which implements a computation C on Qc, the graph 
state corresponding to the lattice C, using the Raussendorf-Harrington-Goyal fault tolerance scheme 
with the following parameters 

• Defect thickness d 

• Lattice scale parameter X = 5d 

• Distillation of resource states \A) and \Y) using L = [log3(d)] levels 

• For each concatenation level 1 < i < L the thickness parameter and scale parameter for that 
level are chosen as di = 3(i£_i and \i = 3A^_i, with di = 1, Xi = 5, di = d and Xl = X. 

Take a = {cr^} to be a set of Pauli operators, such that each u* G {I,X,Y, Z} and acts on qubit i. 
Then for any a, i/Mc is implemented on state \Gc) , but the output of each measurement result or 
unmeasured qubit i is modified by applying o"', then either the computation is correct (corresponding 
to a run where all a^ = I) or an error is detected when the output is decoded, unless \Bc\ + \Cc\ + 
\D'^\ > 2d, where Be = {x : a"" = X}, Cc = {x : a^ = Y} and D^ = {x : a^ = Z and x e O], 
and where O is the set of output (unmeasured) qubits. 

Proof. In the Raussendorf-Harrington-Goyal scheme, logical qubits are topologically protected 
against errors. The two lowest weight topological errors are error cycles around defects and er- 
ror chains running between defects. As defects have thickness d, any cross-section forms a rectangle 
of dimension at least d x d and thus perimeter at least 4(d +1). As an error cycle must fit around 
the remaining defect, the minimum error cycle is at least 4(i. As the centres of defects are separated 
by distance A, the minimum distance between defects is X — d and hence for our parameters we 
have X — d = Ad. 

The only region where this topological protection breaks down is within the regions used to 
distill the resource states \A) and |y). This distillation is performed using a concatenation of L 
levels of the Reed-Muller {\A)) or Steane {\Y)) codes. Each level i of distillation is topologically 
protected with parameters dt and A^. As the Reed-Muller and Steane codes are both distance 3, 
an error at level £ can be caused either by a topological error at that level or not less than 3 errors 
at the previous level. However, since at each level i < L we have Xf — di = Adi and di = 3(i£_i, the 
minimum weight W£ to create an error at level i is min(4(i^,8d^_i,4d£_i + we-i,3we-i). The four 
terms in this last expression account, respectively, for the minimum weight errors in each of the 
four possible cases: 1) The error is entirely topological at level i, 2) The error is entirely topological 
at level i — 1, 3) the error includes both topological errors at level i — 1 (which in the worst case 
affects two qubits with a single weight Adi error chain) and inherited errors from level i — 2, and 
4) the case where all errors are inherited from level i — 2. 

We then prove that we > 2de by induction, as follows. Assume that at level i we have Wi > 2di. 
In that case we have Wj+i = min(4di+i, 6dj), since by assumption Adi + Wi > 6di and 3wi > Qdi, and 
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clearly 8di > 6di. However, we have dj+i = 3di for all levels except the top level, where di < Sd^-i. 
Thus, in general, 2(ij+i < 6di, and hence Wi+i > 2(ii+i. At the lowest level the error distillation 
uses unencoded qubits measured in non-Pauli bases, and so u)o = 1, so ^i;l = 3 > 2di = 2 and thus 
by induction on i we obtain the result that wl > 2d as required. 

Note, however, that any operation on a measured qubit which is diagonal in the computational 
basis ((T* G {I, Z}) does not alter the computation. Hence an undetectable logical error is not 
created unless the total number of measured sites for which u* S {X, Y} plus the total number of 
output qubits for which a^ G {X, Y, Z} is equal to or greater than 2d. Thus the outcome is either 
correct or when decoded results in a detected error, unless \Bc\ + \Cc\ + \D^\ > 2d. D 

Now we link the above general property of the Raussendorf-Harrington-Goyal scheme to our 
specific protocol. To do so, we first introduce the notion of independently detectable errors. 

Definition 9. Given a dotted- complete graph state K^, a set of output qubits O, a measurement 
pattern Witarget containing only X-Y plane measurements and Z basis measurements, and a set of 
single qubit Pauli operators a = {a^}]Li with a* S {I,X,Y, Z} which represent errors which modify 
each measurement result or unmeasured output qubit i by the application of a^ , for each location i 
we define the set ej = {i} for i G P{Kj\f), and ej = A''^^ (i) for i G A{Kj\/). We say that o contains 
k independently detectable errors if and only if there exists a set £ of k locations such that 

• For all ie£, a^ e {X,Y} if i (^ O or else a* G {X,Y,Z} if i G O, and 

• Ej n e,- = for all pairs i,j £ £. 



The intuition behind this definition is that in Protocol pi the qubits in P(i^3Ar) are independently 
randomly distributed between the two trap graphs and the computation graph, and whether or not 
a qubit in ^(A'sjv) coincides with a trap or not depends only on the placement of the neighbouring 
qubits (which are both in P{K3i\i)). The first condition ensures that the error anticommutes with 
some possible measurement of the system, and is hence truly an error, while the second condition 
ensures that we are considering only qubits associated with unique subsets of P{K3n), and hence 
whether or not they coincide with a trap is uncorrelated. With this definition in place, we can 
proceed with proving a corollary to Lemma [5] which links that result with Protocol [8j 

Corollary 1. Let Mc be a measurement pattern which implements a computation C on graph state 
Gc of N vertices using the Raussendorf-Harrington-Goyal scheme with parameters 

• Defect thickness d 

• Lattice scale parameter X = 5d 

• Distillation of resource states \A) and \Y) using L = [log3(d)] levels 

• For each concatenation level 1 < i < L the thickness parameter and scale parameter for that 
level are chosen as di = 3d£_i and \i = Xi^i, with di = 1, Xi = 5, di = d and Xl = X. 

Further, let Mjieduce be a partial measurement pattern consisting of Pauli Z and Pauli Y mea- 
surements on qubits corresponding to the vertices in A{K]\f) which reduces Km to Qc up to local 
Z -rotations. Let M be the measurement pattern for graph state /Cat produced by applying the partial 
pattern M/jeduce io the qubits corresponding to vertices in A{Ki\i) and Mc (with appropriate local 
Z -rotations applied) to the qubits corresponding to vertices in P{Ki\j). 

Take a = {u*} to be a set of single qubit Pauli operators, such that each a^ G {/, X, Y, Z} acts 
on qubit i. Then for any a, ifWic ^^ implemented on state K]\f, but the output of each measurement 
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result or unmeasured qubit is modified by applying cr*, then either the computation is correct (cor- 
responding to a run where all cr* = I) or an error is detected when the output is decoded, unless a 
contains at least \-r-~\ independently detectable errors. 

Proof. First we note that only qubits in P(i^37v) are contained in O, since all qubits in A{K^]sf) 
will be measured to make the required resource states. All measurements on qubits associated with 
vertices A{K]s[) are in either the Y or Z basis, allowing any error in the measurement outcome 
to be associated with an X error on the underlying qubit. As the generators for the stabiliser of 
/Cat are simply the operators Xi Yljpj^. a) Zj, and each vertex in A^Kjy) has only two neighbours, 

both of which lie in P^Kjy), an X error on a qubit associated with a vertex in A{Kj\f) is equivalent 
to a local error on each of two qubits in P{Kn). Thus any local Pauli operator in a^ associated 



with a vertex in A{Ki^) can be either replaced by at most two local operators ^^ acting on qubits 
associated with vertices in P{K]\f) without altering the outcome of the computation, or has no 
effect on the computation. 

We note that the only Pauli terms which can affect the outcome of the computation are those 
which either flip a measurement outcome {X or Y) or those which act non-trivially upon an 
unmeasured qubit (as either X, Y or Z). By Lemmapl the outcome of the computation is unaltered 
unless a produces such errors on at least 2d sites. To show that this implies the existence of at least 
[^] independently detectable errors we will consider the effects of errors on A{}C]\[) and P{1Cn) in 
relation to the resource state for the Raussendorf-Harrington-Goyal scheme, Qc. Errors on A{1Cm) 
only occur when the qubit in question is measured in the Y basis, since for Z basis measurements 
dummy qubits are used and the outcome of Bob's measurement is ignored. Thus, as we have shown 
above, such errors correspond to local Pauli errors at either end of an edge in the Qc. Errors in 
P{ICn), however, correspond simply to errors on single vertices in Qc. Therefore, we can consider 
any error introduced by a as corresponding to a subgraph g^ of Qc, where i S A{IC]y) introduces 
the vertices in Nj^ (i) together with a connecting edge, while i £ P{}Cn) simply introduces the 
vertex i. Such a subgraph contains all of the qubits in Qc which can possibly be affected by local 
errors after the measurement of qubits according to M/jed«ce are taken into account (propagating 
errors from A{K.n) to P{K.n))- 

We note that any connected subgraph g^ of g^ containing n^ vertices necessarily contains at 
least Ux — 1 edges. Note also that Qc is 4-edge-colourable (see Figure [6|. Thus, by the pigeonhole 
principle, there is at least one colour for that subgraph which corresponds to at least f "^^" ] edges. 
As the various subgraphs g^ are disconnected, we are free to choose the colouring independently 
for each, and hence can choose a single 4-edge-colouring for g^ such that it includes at least [ """^ ] 
edges from each subgraph. We then take the set S to correspond to qubits in A{1Cn) corresponding 
to edges of this colour, as well as to the single vertex in any g^ for which Ux = 1, hence ejlHej = 0. By 
Lemma [5j this insures that the outcome of the computation is either correct or an error is detected 
upon decoding, or a contains at least '^Zxn >2\ '^'^i 1 + Sxn =i ^ independently detectable errors, 
where ^^ n^ > 2d. Note that 

E^Ur — 1-, v^ 2d 

x:nj;>2 x:nx=l 

and hence the computation is either correct or an error is detected upon decoding, or a contains 
at least [^] independently detectable errors. D 



^^As Pauli Z operators always commute with Z basis measurements, and anticommute with any measurement in 
the X — Y plane, these local operators are always Pauli operators due to the corresponding restriction on Mtargot- 
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Figure 6: The unit cell for the lattice corresponding to the Raussendorf-Harrington-Goyal scheme, 
Qc, complete with one choice of 4-edge-colouring. 



The above corollary guarantees that one of the condition of Theorem 10 for the verification 
with the amplified security is satisfied. However we cannot yet directly use that theorem since, as 
stated before, the position of the traps are not completely random as the position of the black traps 
are fixed once we choose the random position assignment of qubits in P{IC3n) to each of the three 
subgraphs. This is why we have introduced the notion of independently detectable errors. Here we 
give a direct proof of verification for Protocol [8] following the same steps as the proof of Theorem 

m 

Theorem 13. Protoco/Nis in general (5/6)' ~5' '-verifiable, and in the case of only classical output 
is (2/3)' ~5' ' -verifiable, where d is the security parameter as described in ProtocolvA 

Proof. The proof of this theorem follows the same strategy as Theorem |9| first taking the most 
general strategy for Bob, expanding this in terms of Pauli operators, and lastly showing that any 
Pauli term which leads to an incorrect outcome is detected with high-probability. We note that 
any deviation by Bob from Protocol [8] can be rewritten in the form shown in Figure |4j The proof 
of this is identical to the corresponding step in the proof of Theorem [9) Without loss of generality 
any deviation by Bob from the protocol can be written in the form of Figure pi We can treat {6i} 
as inputs to the circuit without violating causality, as they do not interact with any other part of 
the computation until after bj has been measured, for all j < i. Then simply by reordering the 
operators via their commutation relations we obtain the form in Figure |4] as required. As a result, 
any deviation by Bob can be written as a single deviation operator U which acts upon the quantum 
states Bob receives from Alice as well as 6i and some private register held by Bob. Similar to the 
proof of Theorem [9] the probability of Alice accepting an incorrect outcome density operator is then 

Pincorrect = Tr I 2_^P\^) ^incorrect^ j\^) I 

= Tr \y^p{u)P^ncorrect^Vm^ |0) (0|) 1^^) {^'^\)V^n^ 

= Y, «.«,*Tr (Y,piu)P± ((g) K) ivn] ^.^((^"^ |0) (0|) » 1^^) {^"DV^aA 
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where fi = ^ ajCTj. As Q is unitary Y^- |ajp = 1. 

By Corollary [T| P± projects out the terms in the above sum where Uj does not contain at 
least \-r-~\ independently detectable errors on the computation graph. This is a somewhat stronger 
condition than we actually need, and so we will consider terms corresponding to any ctj which 
produces at least [^] independently detectable errors in total across all three subgraphs (the 
computation graph and the two trap graphs). We will denote by I the set of all i for which cjj does 
not satisfy this condition. Thus we have 



Pincorrect < ^ aja*Tr I ^p(l^ 




vt) {vt\ <r.r (K lo) (o|) » l^'^) (^1) r^a, 



Similar to the proof of Theorem^ as Bob's private register is in the fixed initial state 0^ |0) (0| 
and the register containing the angles {6i} contains classical data, it suffices to consider only cjju 
and (Tji^ G {/, X} across these registers. Then, as before, all terms for which i ^ j go to zero when 
the average over i' is taken. Thus, 

Pincorrect < Yl l^^l'^r ( 5]p(^)( (g) K) iVtl )^i^((®'' |0) (0|) {^^ (^1)^^, J . 

j^x \ I' teT / 



As in the proof of Theorem 10 , we introduce notional sets Sx of three qubits each such that exactly 
one qubit from each set is on each of the three subgraphs (the two trap graphs and the computation 
graph), and where either all of the qubits are in P[1C3n) or all of the qubits are in A{}C3iy) (ensuring 
exactly one trap and at least one dummy qubit per set). As every Uj in the above sum corresponds 
to at least [^] independently detectable (and hence uncorrelated) errors across these sets Sx, we 
have 



P^ncorrect < J] |a.pTr fep(^)((g) |C> (C I )'^*^((®'' |0) (0|) ® I*') (^1)^^^. ) 
i(^X \ u X / 

where as before tx denotes the location of the trap qubit in set Sx- Averaging over all values of t^ 
rt^ and 9t^ , in general this gives 

<r \^ I I'^TJ f^ — — 

Pincorrect —i / ^ \^i\ III a 



sEw=n(i-^ 



E 



Oli?' 



Eo;-^^ 



i^X 
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where Wx denotes the number of independently detectable errors which fall within set Sx- In the 
special case of all classical output, however, the bound can be made tighter, since j^t'^) = yt^')) 
and hence 



Pincorrect 






< 



< 
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Wx 
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8 Conclusions and discussion 

We have extended the original blind quantum computing (BQC) protocol presented in p] with 
new concepts of blind preparation of isolated dummy qubits (a qubit prepared randomly in the 
set {|0) , |1)} ) and isolated trap qubits (a qubit prepared randomly in the set {|+)e})- These two 
simple additions lead to an intuitive proof of verification a desired property for any BQC protocol 
(also known as authentication). However, in this way only polynomially bounded security could be 
achieved. Building upon these ideas, combined with fault-tolerant computation, we presented a new 
universal BQC protocol that achieve exponentially bounded security for the verification scheme 
using new resource state called the dotted-complete graph state. The new protocol extend the 
topological fault-tolerant measurement-based quantum computation scheme due to Raussendorf, 
Harrington and Goyal [9] to a blind setting. We note that while consideration of fault-tolerance in 
the blind computation itself is beyond the scope of the present work, if Protocol [8] is modified so 
as to allow Alice to accept a finite error rate on the trap qubits, the probability of Bob successfully 
cheating is exponentially suppressed in the gap between the expected error weight inferred from 
trap measurements and our threshold of [-g-], and so a fault-tolerant adaptation of this protocol 
should be possible. 

As mentioned before, a verifiable BQC protocol can be viewed as an interactive proof system 
where Alice acts as the verifier and Bob as the prover U |3]. This link to the complexity theory 
opens up a novel approach to questions such as the open problem of finding an interactive proof 
for any problem in BQP with a BQP prover, but with a purely classical verifier. As presented in 
[3] any BQC protocol makes progress towards finding a solution by providing an interactive proof 
for any language in BQP, with a quantum prover and a BPP verifier that also has the power to 
generate random qubits chosen from a fixed set and send them to the prover. 
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